A few weeks before the season finale of popular HBO series “Game of Thrones” Proofpoint researchers spotted a Chinese advance persistent threat (APT) group looking to lure fans with leaked episodes.
The APT group sent phishing emails looking to capitalize on the actual HBO hack which made off with approximately 1.5 TB of data by claiming to offer victims a glimpse of the leaked content, specifically the last episode.
The subject line of the email reads “Wanna see the Game of Thrones in advance?” and includes a Microsoft Word attachment named “game of thrones preview.docx,” according to an August 25, Proofpoint blog post.
The attachment is actually an embedded OLE packager shell object)that, if run, executes a malicious PowerShell script leading to the installation of the diskless “9002” remote access trojan (RAT).
“The use of a Game of Thrones lure during the penultimate season of the series follows a common threat actor technique of developing lures that are timely and relevant, and play on the human factor – the natural curiosity and desire to click that leads to so many malware infections,” researchers said in the blog.
Researchers said the campaign resembles activity previously attributed to the Deputy Dog (aka APT17) threat group and linked the malware used in the most recent campaign to campaigns in early- to mid-2014. Furthermore, the malicious LNK files in both campaigns have the same Volume Serial Number of 0xCC9CE694, the blog said.
In addition, the LNK filename used in one of the campaigns this year is almost identical to the one used in the 2014 campaign, Party00[1-35].jpg.lnk (2017) vs. Party-00[1-5].jpg.lnk (2014) and the theme of party pictures and stock images were also similar to the 2014 campaign as well.
Researchers warned that the malware can open wide doors into corporate data and systems for the actors behind these attacks.