Criminals with an apparent grudge against demonstrators opposing Russian President Vladimir Putin are targeting the country's citizens with data-wiping malware, Symantec has reported.
The attack uses the lure of one of a number of Russian-language protest subject lines, including, ‘Meeting for equal elections,’ and ‘all to demonstration,’ offering instructions in the form of an attached Word document.
Attacks targeting popular events and interests are utterly standard but the engineering of this attack has unusual elements to it that hint at the possibility of a political as well as straightforwardly criminal motivation.
The first is its 500KB size, about fifty times larger than the average bulk spam which are normally designed to pass across the mail infrastructure as efficiently and unobtrusively as possible. Symantec doesn’t spell it out but commercial or criminal spammers would be unlikely to be so send spam emails of this size, even when using Word documents.
The second is its attention-grabbing malevolence. Victims loading the attached word document will see a map of an anti-Putin rally in Moscow unaware that they have also launched a dropper program in the background that executes the payload.
Users with Word macros enabled will be hit Trojan.gen, which looks for an overwrites any files it finds with common extensions such as .doc, .xls, .exe, .zip, .msc, .rar and .7z, basically most of the content on a computer bar uncompressed pictures and videos.
According to Symantec, the overwriting process makes files almost irretrievable even to forensic software, a deliberate and calculated choice by the perpetrators that serves no obvious commercial end.
Oddly, the Trojan also contacts an IP address in order to call Trojan.Smoaler, a piece of malware normally used to steal the sort of data the macro has just obliterated. A final malevolent act is to cause the PC to blue screen.
One positive takeaway is that Trojan.gen dates from 2010 and should be easily detected by antivirus programs. It also requires macros to be enabled – Office 2007 and 2010 should only allow this to happen with notification, offering a measure of protection.