Malicious email that recipient is on "Prism watchlist" linked to just-uncovered espionage campaign

Share this article:

The group behind the "NetTraveler" espionage malware campaign is now sending emails claiming the recipient is on the "Prism" watch list, according to researchers.

Prism is a recently outed U.S. surveillance program run by the National Security Agency that collects data from internet giants such as Google, Facebook and Apple.

On Tuesday, the 9b+ blog, run by security engineer Brandon Dixon, reported that a malware-laden phishing email recently was added to VirusTotal. It was sent with the subject "CIA's prism Watchlist" and contained a malicious Microsoft Word document titled "Monitored List 1.doc," which takes advantage of a Windows Common Controls vulnerability that was patched in April 2012.

According to 9b+, the email targeted a member of the Tibetan Youth Congress in India. As a humorist twist, the sender claims to be Jill Kelley, which likely is referencing the Kelley whose complaint to the FBI about receiving threatening emails led to the exposure last year that CIA Director David Petraeus, who has since resigned, was involved in an extramarital affair with Paula Broadwell, the author of his biography.

Earlier this month, security firm Kaspersky Lab lifted the mask off the NetTraveler espionage campaign, which is targeting hundreds of organizations around the globe – and attackers are using two commonly exploited flaws in Microsoft Word to steal corporate data.

Kaspersky researchers released an analysis about the NetTraveler toolkit, which is capable of exfiltrating data – like file system listings, PDFs and Excel and Word documents – from infected machines.

According to the security company, the campaign has been active since early 2004, though the majority of infections occurred in the last three years. Throughout the extensive campaign, the NetTraveler group has infected 350 victims in 40 countries in which government and military organizations, activists, oil and gas companies and research centers were the primary targets.

"It's funny to note that these actors are keeping up with their same techniques and infrastructure (not all of it) despite being 100% outed," the 9b+ post said. "Again, this sort of behavior shows poor operational security or a complete lack of care...Whatever the domain or IP address used in the attack is, you can be sure that there will be other emails and malicious documents like it."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.