Skip to main content

Fake EFF Domain Spreads Malware In Spear Phishing Campaign

Decompiled App.class payload

Thanks to Google's security team, the EFF discovered that someone was targeting people with a spear phishing attack using a fake "electronicfrontierfoundation.org" domain. The domain was registered on August 4, likely under a false name, and the attack started the same day, according to the EFF.

The attack was not carried using this single electronicfrontierfoundation.org, but was part of a larger espionage campaign called "Pawn Storm," (opens in new tab) which was uncovered a year ago by Trend Micro, a security and antivirus company. According to Trend Micro, the group behind Pawn Storm was likely tied to the Russian government and has been active since at least 2007 (opens in new tab).

The attack used a recently discovered Java vulnerability (opens in new tab), the first known zero-day in the past two years. The target would receive a spear phishing email containing a link in the form of "http://electronicfrontierfoundation.org/url/{6_random_digits}/Go.class," which contains a Java applet that exploits a vulnerable version of the Java Virtual Machine. After the URL would be clicked, it would no longer send any malware payloads in order to make life difficult for malware analysts.

After the first Go.class payload is dropped on the user's machine, the attacker gains full control and can send a second App.class payload, which exploits the same Java vulnerability earlier reported by Trend Micro.

This second payload is able to then download a second stage binary, called comac.mcr, and it can detect whether the user's machine is Windows, Linux or Mac OS X to send the appropriate file for infecting that operating system.

The EFF believes that because the attack used the same Java vulnerabilities, path names and payloads, there's a high chance it's the same group responsible for the other Pawn Storm attacks.

In 2014, FireEye, another security firm, released a paper about the "APT-28" campaign that used similar malware and was tied to the Russian government. The past attacks included targets such as Russian dissidents and journalists, U.S. Defense Contractors, NATO forces, and White House staff. Therefore, the EFF concluded that these attacks using the fake EFF domain must have been carried out by the Russian government as well.

The EFF has already reported the domain name for abuse (although it's still active for now), and Oracle has patched the zero-day vulnerability in its VM. EFF suggested that anyone who wants to better protect themselves against phishing attacks or other espionage attempts should read its Surveillance Self-Defense guide.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Kennyy Evony
    Sounds more like something NSA would do.
    Reply
  • OpalSerPenT
    yeah I agree, more likely nsa. Blaming russia for everything is what the present nwo zionist oligarchy are
    doing with their zionist globalist media puppets. They want ww3 bad before wall st collapses and the rich
    lose a lot of money.
    Reply
  • SinxarKnights
    What does it do once it has successfully infected a computer?
    Reply
  • Gaidax
    yeah I agree, more likely nsa. Blaming russia for everything is what the present nwo zionist oligarchy are
    doing with their zionist globalist media puppets. They want ww3 bad before wall st collapses and the rich
    lose a lot of money.

    I truly wonder if you actually believe this shit.
    Reply
  • Kennyy Evony
    16541936 said:
    yeah I agree, more likely nsa. Blaming russia for everything is what the present nwo zionist oligarchy are
    doing with their zionist globalist media puppets. They want ww3 bad before wall st collapses and the rich
    lose a lot of money.

    I truly wonder if you actually believe this shit.

    Truth is often hard to swallow.
    Reply
  • Marty01
    yeah I agree, more likely nsa. Blaming russia for everything is what the present nwo zionist oligarchy are
    doing with their zionist globalist media puppets. They want ww3 bad before wall st collapses and the rich
    lose a lot of money.

    I truly wonder if you actually believe this shit.

    Why not? Because media controlled entirely by zionists don't talk about it?

    Reply
  • Christiaan Lourens
    Love the game, even though I only played it for a short while thus far ( by that I mean I have not explored all there is to it since it is quite a vast game with so many things to do). One thing I will note however is similar to DayZ the community is sometimes pretty bad on certain servers, so just hop around till you find one you like. Then just have your friends join you there.
    Reply