Malware Targets Demonstrators Opposed to Putin’s Re-Election

Contributor: Pavlo Prodanchuk

A wave of spam emails promoting a rally against newly elected president Vladimir Putin of Russia began around March 5. An attachment purporting to contain details of an upcoming anti-Putin demonstration accompanied email subjects with varying call-to-action lines:

  • “All to demonstration”
  • “Instructions what to do”
  • “Meeting for the equal elections”

Here is a sample email that was sent:

File name: Инструкция_митинг.doc (Instructions_rally.doc)
Subject: Instructions - what to do at the meeting
Body: Instructions of your actions on rally against Putin

The body of the email contains just one sentence indicating the attached document contains “Instructions of your actions on rally against Putin” or “It is very important that you know what to do on the day as everybody will follow the same instructions”. Phrases like these are intended to play on curiosity, especially regarding the latest election news in Russia, in an attempt to persuade recipients to open the malicious attachment.

The malicious document, detected as Trojan.Dropper, contains a malicious macro, which drops and executes an encrypted executable component detected as Trojan.Gen. If an unsuspecting recipient opens this document, they will see details of an apparent upcoming anti-Putin rally:

If macros are enabled when the document opens, a particularly nasty Trojan is executed that searches for and then overwrites any files with the following extensions. These files are subsequently deleted, which makes it difficult to recover the files even using hard disk forensics:

  • .7z
  • .doc
  • .exe
  • .msc
  • .rar
  • .xls
  • .zip

The Trojan also attempts to connect to IP address (down at the time of analysis), which contains links to the notorious Trojan.Smoaler threat. Smoaler recently used the domain as part of its command-and-control server and this website formerly resolved to the above IP address. The Trojan does not stop here! Once it has destroyed all of the above files by overwriting them, it then runs code to cause the computer to crash (blue screen) through a call to the RtlSetProcessIsCritical API.

From a spam perspective, this attack is quite unusual – mainly because of its size (average of more than 500 KB). Most spam messages do not exceed 10 KB. (For example, in the latest Symantec Intelligence report, 56 percent of all February spam messages were less than 5 KB with 30 percent between 5 - 10 KB and only 13 percent greater than 10 KB.)

The graph below illustrates the catch rate volume for this spam mail:

The signature rule was created by automated scenarios based on information that was received from Symantec's global honeypot network during the early hours of Monday, March 5, when the attack first began.

As always, be aware of any unsolicited emails containing attachments, which might be take advantage of current events like the recent election result in Russia.