We’ve heard of people using disasters to spread malware for profit, but here’s something new: a malware author trying to stop the spread of a poisonous document by injecting a little poison of their own. News emerged this week of a weaponized version of the New Zealand shooter's manifesto circulating online.
On March 15, an attacker killed 50 people in two mosques in Christchurch, New Zealand, injuring 50 more. Before launching the attack, which he live streamed on social media, he also sent a white supremacist manifesto to media outlets and the New Zealand Prime Minister's office.
Now, according to network threat protection company Blue Hexagon, an infected version of the manifesto is now doing the rounds.
According to the company's analysis, the weaponized version is authored by someone calling themselves ‘Maori,’ rather than the original, which uses the shooter’s name.
The infected version includes an obfuscated Visual Basic for Applications (VBA) script that tries to download a second-stage payload. This payload is a portable executable (PE) file, which is an executable Windows program that overwrites the host computer's master boot record with a message. It then forces the machine to rebuild and display the message, which says "This is not us!"
This is an interesting approach to censorship. Scammers regularly hijack real-world events to spread viruses and make money from people trying to make legitimate donations for victims. Instead, this malware offer clearly wanted to disrupt the spread of the real manifesto with its dozens of pages of hate speech.
The attempt seems to reinforce a broader effort to remove the shooter's digital documentation from the internet. New Zealand's Office of Film and Literature Classification officially classified the manifesto as objectionable, banning it and the live streamed video in New Zealand. Conversely, White House aide Kellyanne Conway advocated for people to read it as she defended President Trump, whom the document reportedly praised.
Our advice? Don’t read any copies that you don’t find online, and don’t go looking for them. Aside from giving a toxic online statement more oxygen, doing so could also put your computer in danger.
The topic of Threats, Exploits and Vulnerabilities will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Threats, Exploits and Vulnerabilities here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.
