Researchers Lift the Lid on Politically Themed Malware

Written by

The internet is awash with politically themed malware, used in everything from ransomware to remote access trojans (RATs), according to new research from Cisco Talos.

The security firm’s study began with analysis of a regular-looking malicious spam campaign which used an executable named “trump.exe.”

Taking this as a jumping off point, the research team found a wide range of similarly themed threats that “was almost a microcosm of what we see in the threat landscape daily.”

These included Donald Trump-themed ransomware, and separate Trump and Vladimir Putin-themed locker malware. Interestingly, one of these threats offered no way for hackers to monetize their efforts.

Cisco also found numerous politically themed RAT campaigns, including Neshta, which used Kim Jong Un, and an NjRAT campaign that used an image of Putin — the same one used as an icon for the “Papa-Putin.exe” executable.

Some RATs were found using booby-trapped files purporting to contain political content as a lure, such as the Word document “12 things Trump should know about North Korea.doc,” which was used to spread the Konni RAT.

An Excel spreadsheet titled “Trump_administration_economic_indicators_on_China_investments.xls” contained malicious macros leading to infection by the well-known PoisonIvy RAT, often used in nation state attacks.

Other tools featuring political iconography included a Trump crypter, injectors referencing Barack Obama and Putin, and a Putin-themed malware loader.

Cisco also discovered a range of political software “ranging from the absurd to the disturbing,” including a “Dancing Hillary” game and a “Trump's Cyber Security Firewall” tool.

“As this investigation has exposed, adversaries will go to any lengths and use anything they deem advantageous, from pop culture to political references — everything is fair game,” it concluded. “This is applicable not only to the adversaries delivering malware, but also the miscreants writing tools for adversaries to leverage including crypters, injectors and loaders.”

What’s hot on Infosecurity Magazine?