Thanks to Google's security team, the EFF discovered that someone was targeting people with a spear phishing attack using a fake "electronicfrontierfoundation.org" domain. The domain was registered on August 4, likely under a false name, and the attack started the same day, according to the EFF.
The attack was not carried using this single electronicfrontierfoundation.org, but was part of a larger espionage campaign called "Pawn Storm," which was uncovered a year ago by Trend Micro, a security and antivirus company. According to Trend Micro, the group behind Pawn Storm was likely tied to the Russian government and has been active since at least 2007.
The attack used a recently discovered Java vulnerability, the first known zero-day in the past two years. The target would receive a spear phishing email containing a link in the form of "http://electronicfrontierfoundation.org/url/{6_random_digits}/Go.class," which contains a Java applet that exploits a vulnerable version of the Java Virtual Machine. After the URL would be clicked, it would no longer send any malware payloads in order to make life difficult for malware analysts.
After the first Go.class payload is dropped on the user's machine, the attacker gains full control and can send a second App.class payload, which exploits the same Java vulnerability earlier reported by Trend Micro.
This second payload is able to then download a second stage binary, called comac.mcr, and it can detect whether the user's machine is Windows, Linux or Mac OS X to send the appropriate file for infecting that operating system.
The EFF believes that because the attack used the same Java vulnerabilities, path names and payloads, there's a high chance it's the same group responsible for the other Pawn Storm attacks.
In 2014, FireEye, another security firm, released a paper about the "APT-28" campaign that used similar malware and was tied to the Russian government. The past attacks included targets such as Russian dissidents and journalists, U.S. Defense Contractors, NATO forces, and White House staff. Therefore, the EFF concluded that these attacks using the fake EFF domain must have been carried out by the Russian government as well.
The EFF has already reported the domain name for abuse (although it's still active for now), and Oracle has patched the zero-day vulnerability in its VM. EFF suggested that anyone who wants to better protect themselves against phishing attacks or other espionage attempts should read its Surveillance Self-Defense guide.
Follow us @tomshardware, on Facebook and on Google+.
