Cybercriminals are actively using the political agenda and the names of well-known politicians to spread malware.Researchers have warned of hundreds of cyber campaigns in which ransomware, remote access tools and other unwanted programs are disguised as articles and documents on relevant topics.
“Donald Trump can add ransomware to the list of things named after him, thanks to scammers who again have demonstrated how current events create opportunities to steal data”, — write CyberScoop journalists.
Cisco Talos experts decided to study this topic when they discovered in one of the attacks of the Cobalt grouping a malicious trump.exe file. Further investigation has shown that this is only one of many such lures for potential victims.
Information security specialists have long aware about the malware that plays the role of the payload during these campaigns. So, a Word document entitled “12 Things Trump Should Know About North Korea” is deployed on the Konni RAT Trojan on a computer, which has been active, according to various estimates, since 2014. Experts noticed this malware in attacks against state and private organizations, which were also associated with the DPRK.
Read also: Apple fixed dozens of bugs in its OS
Another malicious document, the Trump Administration Indicators for China Investment Excel file, contained macros for downloading RAT PoisonIvy.
The operators of this malware have previously used relevant topics – in 2014 the trojan was distributed under the mask of materials about the missing flight of Malaysian Airlines MH-370.
Attackers are trying to trick users into engaging with an emotional response where they “just click and don’t fully think things though. They want someone to agree or disagree very strongly with whoever they position so that the user isn’t thinking, ‘Should I open this?’”, — said Craig Williams, Talos’ director of research.
Popular policies in malicious campaigns:
The US president was not the only politician whose name was used in the current attacks. Material allegedly about North Korean leader Kim Jong Un infected the victims with the Nechta Trojan, and the Papa-Putin.exe file masked the NjRAT Trojan. Experts also met the name of Vladimir Putin in title of the primitive ransomware that blocks controls and a task manager on a computer.