Friday, 19 August 2016

On 06:50 by admin   No comments
A security researcher, Vesselin Bontchev, claims to have found malware in several downloadable files in the leaked data dump published by WikiLeaks from the Turkish ruling party (AKP) server.
The Bulgaria-based researcher uploaded his analysis on Github that shows hundreds of AKP emails contain malware attachments. For those who are not familiar with WikiLeaks AKP data dump, in July 2016 a hacker going by the online handle of Phineas Fisher claimed responsibility for hacking into the email server of AKP (Justice and Development Party) and stealing a trove of data which was later shared with WiKiLeaks.
WikiLeaks published the data after the failed military coup last month. Bontchev’s research is a lesson for users: ”be careful what you download from the Internet.” More details on the AKP breach are available on SoftPedia.
Bontchev divided his analysis into three columns where ”the first column contains a link to the e-mail on the Wikileaks site that contains the malicious attachment. The second column contains the URL on the Wikileaks site where the malicious attachment to this e-mail message resides while the third column contains links leading to a VirusTotal page, showing how the different scanners are reporting the malware,” according to his Github report.
wikileaks-turkish-document-dumps-contain-malware-researcher
Upon scanning the first link (F36CB35F410AB65958A6CCA846737A9C) on VirusTotal; the result shows that the link contains Trojan.GenericKD.3250120, a ransomware that encrypts files stored on the affected device and demands payment of a ransom.
The scanned attachment also contains Trojan/ Win32.Agent.N2005930713 developed to target Windows users. That’s not all; the file also contains Backdoor.W32.Androm!c, a backdoor trojan with RAT capabilities that allows attackers to gain unauthorized access and control of an affected computer. The full list of malicious files detected in just one email attachment can be seen in this screenshot below:
wikileaks-turkish-document-dumps-contain-malware-researcher-2
To view complete scan results it is highly recommended to view Bontchev’s presentation on Github.
Important message for journalist and researchers: 
If you are a journalist, reporter or a researcher, Mr. Bontchev has mentioned that it is safe to view AKP emails, however, downloading attachments are not advisable. If you have already downloaded the data and executed on your device you should do a full scan as it is quite possible that your online activities are being monitored by a third party.
Now, START BEING EXTRA CAREFUL!!! Click on the Attachments tab. You can click and download the attachment. DON'T DO THAT!
It is the malware. You can still download and infect yourself with a click. Just like before. But wait, it gets even better.
LOL. If you thought my report about malware hosted by Wikileaks was bad stuff, keep in mind I didn't look in the spam e-mails.
I can hardly find polite words to explain what a shitty thing@wikileaks have done this time! Get ready for a shitstorm of a tweetstorm.
Remember my report that they are hosing malware?https://github.com/bontchev/wlscrape/blob/master/malware.md 

They have tried to invalidate it.
They didn't contact me. They didn't ask for my help. They didn't remove the fucking malware. They didn't run a scanner. Oh, no.
They just tried to make it so as if my report is no longer valid (i.e., the info in it doesn't work). Bear with me.
Suppose we go the Wikileaks site, and search the AKP archive for a file attachment w/dangerous extension, like EXE:https://wikileaks.org/akp-emails/?file=exe&count=50#searchresult 
The text says something about the file being removed because it was a virus. Looks good, yes? I thought so originally, too.
Finally, I though, those morons have listened and have removed the malware. Wishful thinking, as it turns out.
You can't really view the source, but you can download it. This downloads the whole MIME message - text, attachment, all.
The malware IS STILL there. But it is base64-encoded, so it would take extra stupidity from the user to get infected. Bad, not catastrophic.
The malware IS STILL there. But it is base64-encoded, so it would take extra stupidity from the user to get infected. Bad, not catastrophic.
Now, START BEING EXTRA CAREFUL!!! Click on the Attachments tab. You can click and download the attachment. DON'T DO THAT!
This is not the first time that WikiLeaks has published files containing malware. In September 2015, an autonomous data researcher, Josh Wieder, found malware in the files stored in The Global Intelligence Files section.
Remember, downloading attachments from unknown emails can cause you a lot of problems, for your own safety and security DON’T download attachments from publicly available data!

0 comments:

Post a comment