Malicious email that recipient is on "Prism watchlist" linked to just-uncovered espionage campaign

Share this article:

The group behind the "NetTraveler" espionage malware campaign is now sending emails claiming the recipient is on the "Prism" watch list, according to researchers.

Prism is a recently outed U.S. surveillance program run by the National Security Agency that collects data from internet giants such as Google, Facebook and Apple.

On Tuesday, the 9b+ blog, run by security engineer Brandon Dixon, reported that a malware-laden phishing email recently was added to VirusTotal. It was sent with the subject "CIA's prism Watchlist" and contained a malicious Microsoft Word document titled "Monitored List 1.doc," which takes advantage of a Windows Common Controls vulnerability that was patched in April 2012.

According to 9b+, the email targeted a member of the Tibetan Youth Congress in India. As a humorist twist, the sender claims to be Jill Kelley, which likely is referencing the Kelley whose complaint to the FBI about receiving threatening emails led to the exposure last year that CIA Director David Petraeus, who has since resigned, was involved in an extramarital affair with Paula Broadwell, the author of his biography.

Earlier this month, security firm Kaspersky Lab lifted the mask off the NetTraveler espionage campaign, which is targeting hundreds of organizations around the globe – and attackers are using two commonly exploited flaws in Microsoft Word to steal corporate data.

Kaspersky researchers released an analysis about the NetTraveler toolkit, which is capable of exfiltrating data – like file system listings, PDFs and Excel and Word documents – from infected machines.

According to the security company, the campaign has been active since early 2004, though the majority of infections occurred in the last three years. Throughout the extensive campaign, the NetTraveler group has infected 350 victims in 40 countries in which government and military organizations, activists, oil and gas companies and research centers were the primary targets.

"It's funny to note that these actors are keeping up with their same techniques and infrastructure (not all of it) despite being 100% outed," the 9b+ post said. "Again, this sort of behavior shows poor operational security or a complete lack of care...Whatever the domain or IP address used in the attack is, you can be sure that there will be other emails and malicious documents like it."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

FilmOn accuses DoubleVerify of distributing malware

In readying a libel suit against DoubleVerify, FilmOn says it discovered that the firm deliberately distributed malware.

Schumer: Feds should do 'top to bottom' probe of online drug marketplaces

Sen. Charles Schumer of New York has called on federal law enforcement officials to stop "copy cat websites."

ShellShock vulnerability exploited in SMTP servers

Researchers at Trend Micro found that attackers were targeting Simple Mail Transfer Protocol (SMTP) servers to execute malicious code and an IRC bot.