Malware targeting GE13, spyware maker was in KL
By Goh Su Gim May 4, 2013
- GE13 an opportunity for malware writers to gain new victims
- FinSpy spyware maker was in KL trade show hawking its wares in 2011
MALAYSIA’S 13th general election (GE13) will take place on Sunday May 5, 2013. Political news coverage is inundating all news outlets, including social networking sites, as all political parties go into high gear in the final run-up to polling day.
The huge media interest creates an opportunity for malware writers to gain new victims using established social engineering techniques – and true enough, this week Citizen Lab released a report indicating that a sample of the sophisticated FinFisher (aka FinSpy) surveillance malware was discovered in a document crafted specifically for this event.
The malware was distributed in a booby-trapped Malay-language Microsoft Word document named “SENARAI CADANGAN CALON PRU KE-13 MENGIKUT NEGERI.doc” (In English, “List of proposed candidates for 13th General Elections according to states”).
The report speculates that the attack document is targeting Malaysians looking for more information related to one of the most closely contested elections in the country’s history. F-Secure detects the document in question as Trojan:W32/FinSpy.D.
FinFisher is created by an European company called the Gamma Group. As we mentioned in a previous post, the company was present at the ISS World 2011 gathering hosted in Kuala Lumpur, Malaysia.
The ISS event serves as a trade fair for surveillance software (attendance is by “invitation” or if you are a “telco service provider, government employees or law enforcement officer”).
In addition, there have been reports alleging that multiple news and social media sites, including YouTube, Facebook and Malaysiakini, a popular Malaysian online news site, have been subjected to various forms of disruption, including defacements, denial of service attacks and filtering.
F-Secure Labs is observing the situation. We have seen a raise in malware detections during April 2013 in Malaysia. However, we don't really know if the increase is due to election-related activity or something else (click to enlarge chart).
This is not the first time F-Secure has seen politically motivated malware related to a country’s election period. In 2007, malware was used in a Kenyan election to redirect users to a campaign site, while using Agent.DPL Trojan to remove certain Windows functions, rendering the victims’ computer useless (http://www.f-secure.com/weblog/archives/00001301.html).
During the 2008 presidential elections in the United States, the “Presidential Malware” was distributed through email, redirecting users to malicious websites hosting malware masquerading as an Adobe Flash update (http://www.f-secure.com/weblog/archives/00001530.html).
For this particular election though, Malaysian users are advised to exercise caution when viewing unknown documents, particularly when received through e-mail or online.
Goh Su Gim is the security advisor, Asia, for cybersecurity firm F-Secure. This article first appeared in the company’s blog and is used here with permission.