An email uploaded to Virustotal and reprinted by security blogger Brandon Dixon is titled “CIA’s prism Watchlist,” and contains broken, often unintelligible English with key PRISM-related phrases like “Edward Snowden” and “National Security Agency.” The email carries a 2.5-megabyte attachment, called “Monitored List1.doc,” containing an exploit for CVE-2012-0158 that installs the NetTraveler spyware.
Kaspersky Lab recently revealed an organized gang of 50 Chinese-speaking individuals as the agent behind the compromise of at least 350 high-profile victims in 40 countries (with the total likely closer to 1,000). The NetTraveler campaign is part of an advanced persistent threat (APT) attack that steals sensitive data as well as logs keystrokes, and retrieve file system listings and various Microsoft Office or PDF documents.
“It’s funny to note that these actors are keeping up with their same techniques and infrastructure (not all of it) despite being 100% outed,” Dixon said in his blog. “This sort of behavior shows poor operational security or a complete lack of care.”
Known NetTraveler targets include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments, embassies and military contractors. In this case, the bad English indicates that the PRISM lure is not targeted to North American victims; and the email’s recipient appears to be a Yahoo! account linked to the Regional Tibet Youth Congress in Mundgod, India. “What’s amusing is the sender address which makes an attempt to be Jill Kelley, the woman who kicked off that crazy FBI investigation fiasco a couple months back,” Dixon said.
Dixon wasn’t able to obtain any command and control data, but noted that “whatever the domain or IP address used in the attack is, you can be sure that there will be other emails and malicious documents like it. The NetTraveler attackers have been going strong since the early 2007-2008′s and I doubt they will be stopping anytime soon.”