Earlier this month, Symantec observed malicious emails spoofing the email address of one United Arab Emirates (UAE) law enforcement agency, particularly the Dubai Police Force. These spear-phishing emails, which read like a warning from the Dubai Police, bank on users’ fear of terror attacks to trick them into executing the malicious attachments. The attachments are disguised as valuable security tips that could help recipients to protect themselves, as well as their companies and their families, from potential terror attacks that may occur in their business location.
To add more credibility to the emails, the crooks impersonate the incumbent Dubai Police lieutenant general, who is also the head of general security for the emirate of Dubai, by signing the email with his name.
Figure 1. Email sample that impersonates the Dubai Police department
The emails come with two attachments, one of which is a PDF file that is not actually malicious but acts as a decoy file. The malware resides in the other attachment, an archive, as a .jar file. Further analysis of the malware confirms that the cybercriminals behind this campaign are using a multiplatform remote access Trojan (RAT) called Jsocket (detected as Backdoor.Sockrat). This RAT is a new product from the creators of the AlienSpy RAT, which has been discontinued earlier this year.
Targets beyond the UAE
While the group behind this campaign mainly targeted UAE-based companies and employees, we have also seen similar spear-phishing runs targeting three other countries: Bahrain, Turkey and, more recently, Canada. Like in the Dubai campaign, the cybercriminals are also using incumbent law enforcement officials’ names in these countries to lend credibility to their fake terror alerts, which also purport to provide protective measures supposedly outlined in attached files. The group is expanding their reach and we may see new email models targeting additional countries.
Figure 2. Sample of the fake terror alert supposedly sent by a Canadian Department of National Defence official
Interestingly enough, despite not being entirely written in the countries’ respective official languages, the emails are pretty crafty. All officials used in the cybercriminals’ scheme are currently in office. The subject in most cases reflects the name of an employee who works for the targeted company. All these details show that the crooks did some research before sending these phishing emails. If they do not have any employee information, then they would email other targets in the company that could provide them an entry point, such as customer service representatives or IT department personnel.
Figure 3. Heatmap showing regions affected by the Backdoor.Sockrat malware used in this campaign
At the time of writing, we can confirm that this campaign is aimed at various big companies in the Middle East and Canada. While the campaign does not target a specific type of industry, we have observed such emails sent to the following sectors: energy, defense contractor, finance, government, marketing, and IT.
With recent events such as those witnessed in Paris and Beirut just last week, terrorist attacks have become a threat across the world, and terror groups have been known to make their presence felt online too. We may yet see more of these kinds of social engineering tactics preying on real-world fears.
Mitigation
Symantec advises users to remain vigilant and be wary of social engineering techniques to protect their data. Users are advised to adhere to the following best practices to avoid getting infected:
- Do not open attachments or click on links in suspicious email messages
- Avoid providing any personal information when answering an email
- Never enter personal information in a pop-up page or screen
- Keep security software up to date
- If uncertain about an email’s legitimacy, contact your internal IT department or submit the email to Symantec Security Response through this portal
Protection
Symantec and Norton products have the following detections in place to protect users against this campaign:
AV:
Skeptic (.Cloud email) protection: