An analyst looks at malware code in a lab. (Reuters/Jim Urquhart)
An analyst looks at malware code in a lab. (Reuters/Jim Urquhart)

Dear CPJ: Some malware from your ‘friend’

We talk a lot about hacking attacks against individual journalists here, but what typifies an attempt to access a reporter’s computer? Joel Simon, CPJ’s executive director, received an email last week that reflects some characteristics of a malware attack against a journalist or activist. There was nothing particularly notable about the targeting. (Like many reporters, CPJ receives such attempts occasionally). The attack failed at the first fence, and my casual investigation into the source was inconclusive. There are no shocking answers or big headlines to draw from this attack. But it does illustrate a contemporary reality: Opportunistic assailants regularly shower journalists with software attacks.

The email was marked as being from “Rony Kevin,” a misspelling of Rony Koven, who works with the World Press Freedom Committee, a partner press freedom organization. The originating Yahoo account wasn’t his, of course; the attackers had no connection with Koven at all.

The subject of the mail was “Fw: Journalists arrested in Gambia,” and the content of the mail was boilerplate text about reporters who had been recently imprisoned, followed by “Please review the attachments for more information.” The text was actually copied and pasted from this Article 19 alert. The text promised more information in an attached ZIP file, called “Details,” which it said was password encoded with the letters “CPJ.”

CPJ staffers are, as you might imagine, extremely cautious about opening strange attachments, but, after the mail had been quarantined, and in a suitably safe computing environment, I took a closer look at the attachments’ contents. Out of the five documents in the file, one was a text copy of the Article 19 article, three were accompanying pictures of the Gambian journalists–and one file was a Windows program, disguised as an image, which would have starting running if anyone clicked on it. (It would probably have also triggered several dozen anti-virus Klaxxon warnings, but some people don’t use anti-virus software or ignore it.)

Taking a closer look at that executable with some simple analysis tools, it was clear that the real job of the program was to unpack a piece of malware, stick it somewhere innocuous on the computer, and set it up to run automatically in the future. The unpacking code was a standard utility, with some comments in Chinese. At this point, I handed the file over to security researcher Morgan Marquis-Boire to see what he could make of it. Morgan let me know that the file was indeed malware and, when started, began communicating with a machine in Indonesia. I’ve mailed the administrators of that machine, but as usual, they did not reply. For now, the trail has run cold.

What can we learn from this attack? The fake identity of the email’s source and the content about Gambian journalists suggest that somebody had dedicated some time to understanding CPJ, its interests, and its network of partners. This is all evidence of “spear-phishing”–a person or group targeting a particular individual or organization, rather than the usual fraudsters and spammers attempting to exploit hundreds or thousands of generic Internet users. Whoever sent this wanted access to CPJ’s computers in particular, and was willing to spend at least some resources obtaining information that would make their emails convincing to us, and perhaps other international press freedom groups like the World Press Freedom Committee and Article 19.

The encryption of the Zip file was a smart way to get past the simplest anti-virus software. Anti-virus software that runs automatically wouldn’t know the password so it would not be able to automatically unzip the attachment and look inside for trouble. The personalized password also helps make the email seem more genuine.

The Chinese language in the executable means that this malware has come from a toolkit that used Chinese elements. There are plenty of Russian and Chinese tools floating around the international computer underground, however. You might not need to speak Chinese to use a piece of software with Chinese comments embedded within it, so I don’t think you can draw many conclusions from that.

Neither can you draw much from the use of an Indonesian command-and-control center. Just because the first stop for information sent from the infected computer is Jakarta, that doesn’t mean that it’s the final destination. That machine is undoubtedly an innocent system, taken over remotely by the attackers, and used as a convenient middleman for their activities.

So we don’t have much information about the specific identity of the hackers. We do know, however, that they exist: This isn’t an attacker who particularly cares to cover his tracks and doesn’t mind too much if the attack fails.

The software is generic, and could have been obtained by anyone interested in conducting an attack. There’s nothing that shouts state actors here, except perhaps for the target. There aren’t many other reasons to spend time specifically targeting press freedom groups, unless you are able to sell control of their computers to a third party who cares to disrupt or monitor their activities.

Who are those third parties? Whoever they are, their tactics are illegal in most countries. And their long-term targets are surely not NGOs like ours, but the journalists we seek to defend.