Demonstrators targeted with destructive malware
A spam campaign carrying an unusual payload has been recently spotted targeting Russian users that are not satisfied with Vladimir Putin becoming once again the President of the country.
The emails in question have diverse subjects: “All to demonstration”, “Instructions what to do” or “Meeting for the equal elections”, and usually contain only one line in the body – something along “It is very important that you know what to do on the day as everybody will follow the same instructions.”
The attached file seems at first glance to be a .doc file, but it’s actually a dropper Trojan that contains a malicious macro, which drops and executes another Trojan.
Symantec researchers warn that in order not to raise suspicion with the targets, once run the file also presents them with a map and instructions about the rally:
If macros are enabled when the document opens, a particularly nasty Trojan is executed that searches for, overwrites, and finally deletes all .7z, .doc, .exe, .msc, .rar, .xls and .zip files located on the victims’ computer.
And then, for good measure, it runs code that sends a call to the RtlSetProcessIsCritical API, which crashes the machine.