One of our engineers discovered a new NUWAR sample while doing an analysis on a current sample and in the process stumbled on a neat little twist. Originally, NUWAR targets were more on Nuclear war and political issues. This time around it appears to ride on the popularity of CNN.
The new sample connects to CNN.COMand determines the “MOST popular news” by parsing the main page and aside from the usual hardcoded email messages and subjects, the malware uses the “news topics” from the cnn main page in its email details. However, one thing that I would want to shed a little more light on is that instead of the usual email recipients, it appears to target only email addresses containing the strings “Microsoft”, “.gov” and “.mil” (All three strings must be present).
Below is an email sample obtained by satisfying the condition stated previously using a bait email address.
Now from the findings stated earlier it would appear that the targets are now the military or the government. A simple search for domains satisfying the above condition yields the following results:
- http://www.mil.wa.gov/ (Washington Military department)
- http://www.mil.gov.ua/index.php?lang=en (Ukraine military of defense)
- http://www.mil.doh.gov.tw/ (General Hospital – Taiwan Dept. Of Health)
- http://naou.mil.gov.ua/index.htm
- http://gur.mil.gov.ua
I guess one major concern here is that if the malware is indeed targetting the Government or the Military this gives it a new edge in social engineering. Imagine receiving emails from one of the domains stated above and having email details like:
- Nuclear WAR in USA! Please read attached file!
- Nuclear WAR in Russia! Please read news in file!
- GLOBAL NUCLEAR WAR JUST STARTED! PLease see attached file.
This could potentially hype up the hit rate of these mass-mailers. Just our two cents but it’s definitely worth digging deeper into.