Last month Wikileaks published emails stolen from Turkish ruling party AKP — Now, a researcher has presented a report showing the AKP emails contain malware attachments!
A security researcher, Vesselin Bontchev, claims to have found malware in several downloadable files in the leaked data dump published by WikiLeaks from the Turkish ruling party (AKP) server.
The Bulgaria-based researcher uploaded his analysis on Github that shows hundreds of AKP emails contain malware attachments. For those who are not familiar with WikiLeaks AKP data dump, in July 2016 a hacker going by the online handle of Phineas Fisher claimed responsibility for hacking into the email server of AKP (Justice and Development Party) and stealing a trove of data which was later shared with WikiLeaks.
WikiLeaks published the data after the failed military coup last month. Bontchev’s research is a lesson for users: ”be careful what you download from the Internet.” More details on the AKP breach are available on Softpedia.
Bontchev divided his analysis into three columns where ”the first column contains a link to the e-mail on the Wikileaks site that contains the malicious attachment. The second column contains the URL on the Wikileaks site where the malicious attachment to this e-mail message resides while the third column contains links leading to a VirusTotal page, showing how the different scanners are reporting the malware,” according to his Github report.
Upon scanning the first link (F36CB35F410AB65958A6CCA846737A9C) on VirusTotal; the result shows that the link contains Trojan.GenericKD.3250120, a ransomware that encrypts files stored on the affected device and demands payment of a ransom.
The scanned attachment also contains Trojan/ Win32.Agent.N2005930713 developed to target Windows users. That’s not all; the file also contains Backdoor.W32.Androm!c, a backdoor trojan with RAT capabilities that allows attackers to gain unauthorized access and control of an affected computer. The full list of malicious files detected in just one email attachment can be seen in this screenshot below:
To view complete scan results it is highly recommended to view Bontchev’s presentation on Github.
Important message for journalist and researchers:
If you are a journalist, reporter or a researcher, Mr. Bontchev has mentioned that it is safe to view AKP emails, however, downloading attachments are not advisable. If you have already downloaded the data and executed on your device you should do a full scan as it is quite possible that your online activities are being monitored by a third party.
It is the malware. You can still download and infect yourself with a click. Just like before. But wait, it gets even better.
— Vess (@VessOnSecurity) August 16, 2016
Wikileaks makes even more malware freely available from their site, sigh… 🙁https://t.co/FaLn7EzZl0
— Vess (@VessOnSecurity) August 12, 2016
Updated the list of confirmed malware distributed by @wikileaks with many new entries (from the 2nd AKP mail dump):https://t.co/An2Q53V3ao
— Vess (@VessOnSecurity) August 13, 2016
LOL. If you thought my report about malware hosted by Wikileaks was bad stuff, keep in mind I didn’t look in the spam e-mails.
— Vess (@VessOnSecurity) August 14, 2016
Remember my report that they are hosing malware?https://t.co/An2Q53V3ao
They have tried to invalidate it.
— Vess (@VessOnSecurity) August 16, 2016
They didn’t contact me. They didn’t ask for my help. They didn’t remove the fucking malware. They didn’t run a scanner. Oh, no.
— Vess (@VessOnSecurity) August 16, 2016
Suppose we go the Wikileaks site, and search the AKP archive for a file attachment w/dangerous extension, like EXE:https://t.co/LcFm7h5dI8
— Vess (@VessOnSecurity) August 16, 2016
Finally, I though, those morons have listened and have removed the malware. Wishful thinking, as it turns out.
— Vess (@VessOnSecurity) August 16, 2016
The malware IS STILL there. But it is base64-encoded, so it would take extra stupidity from the user to get infected. Bad, not catastrophic.
— Vess (@VessOnSecurity) August 16, 2016
Now, START BEING EXTRA CAREFUL!!! Click on the Attachments tab. You can click and download the attachment. DON’T DO THAT!
— Vess (@VessOnSecurity) August 16, 2016
This is not the first time that WikiLeaks has published files containing malware. In September 2015, an autonomous data researcher, Josh Wieder, found malware in the files stored in The Global Intelligence Files section.
Remember, downloading attachments from unknown emails can cause you a lot of problems, for your own safety and security DON’T download attachments from publicly available data!
