Ebola phishing campaign delivers a RAT
The spread of the Ebola virus beyond West Africa and into several European countries and the USA has also signalled a new phishing campaign preying on people’s concerns. Websense has noted two forms of attack in a blog post.
Initially, the phishing campaign comprised an email with the Subject line “Ebola Safety Tips-By WHO”. The email contained a link which was used to download a RAR file. However, the RAR file contained the DarkComet Remote Administration Tool. Subsequent emails dispensed with the link and instead attached the RAR file to the email.
DarkComet is technically a legitimate piece of software. However, it is often used by attackers to gain access to a victim PC. Once it is installed, an attacker can then extract sensitive information from the victim PC, including (potentially) login credentials. DarkComet has many capabilities, including keystroke logging and remote operation of webcams and microphones. DarkComet is also attractive to attackers because it has a stealth capability.
The second phase of the campaign used a vulnerability that has been used in the Sandworm campaign, namely CVE-2014-4114. This vulnerability has since been patched by Microsoft, although a second similar vulnerability appeared shortly after; this was called CVE-2014-6532. Both vulnerabilities relate to OLE files. Microsoft has issued an advisory with workarounds for the current vulnerability. The main recommendation is not to open PowerPoint files from unverified sources.
The second attack consisted of an email with an attached infected document. According to the blog post, “a sample from a third-party source, named “Ebola in American.pps”, was leveraging CVE-2014-4114 to download and execute a payload from a remote address via the SMB protocol, which most of the time isn’t allowed to connect to public Internet addresses.”
On a more general level, US-CERT posted a warning about Ebola phishing. As per the alert, always exercise caution when receiving messages. Don’t click on links and don’t open attachments. Ensure Anti-virus software is up to date. We (at MailShark) would also add that you seriously consider using email filtering to screen out spam email before it reaches your Inbox.