Spear-phishing Attacks Launched at United States After Trump is Elected

By Joseph Lorenz on November 11, 2016

Sourcehttp://www.securityweek.com/cyberspies-launch-us-attacks-hours-after-trump-electedhttp://arstechnica.com/security/2016/11/russian-hackers-throw-trump-victory-party-with-new-spear-phishing-campaign/ (SecurityWeek, ArsTechnica)

Just hours after Donald Trump was elected president of the United States spear-phishing attacks were launched by Russia-linked threat actor ‘The Dukes’ who are also known as APT29, Cozy Bear, and Cozy Duke. Though the threat group has been targeting think tanks and non government organizations(NGO) since July 2015, it wasn’t until July of 2015 where the attackers started using a new piece of malware which has been dubbed as “Power Duke”.

Unlike previous attacks done by the threat group through ZIP files containing malicious executables, the threat group delivered Power Duke through emails that carried macro-enabled Word and Excel documents. These executables were setup to install a downloader and to fetch the PowerDuke backdoor. The first attack wave that was analyzed after the election involved eFax emails that were tilted “The Shocking Truth About Election Rigging in the United States.” used to entrigue employees with a title related to the recent election. Next was a same eFax theme but the emails had a new title “Elections Outcome Could Be Revised [Facts of Elections Fraud]” and they were used to deliver the PowerDuke malware via macro-enabled documents.  The third wave consited of emails coming from a fas.harvard.edu addressand these were messeges that were sent from the Harvard PDF Mobile service titled “Why American Elections Are Flawed,” these emails also carried the malware. The final wave of attacks used Harvard FAS email addresses and they appeared to be forwarded from someone in the Clinton Foundation. PowerDuke malware is capable of collecting information about infected devices, creating and terminating processes, downloading and uploading files, and obtaining text from a current window. The backdoor is hidden in PNG images using steganography and some components are loaded into memory.

According to the hacker who refers to himself as Guccifer 2.0 which researchers believe could be a persona for Russian cyberspies claimed that he had hacked the Clinton Foundation, though the foundation denied all claims. The U.S. has officially accused Russia of cyberattacks with an intent of interfering with the presidential election.