A few weeks to the much-anticipated Game of Thrones season finale, the security researchers at Proofpoint have spotted a Chinese cyber criminal group trying to lure fans into downloading malware through corrupted documents sent through email.
The group was using two episodes from HBO’s popular Game of Thrones show that had been leaked online.
Episode 4 was released by one of HBO’s third-party distributors in India, while episode 6 of season 7 was accidentally aired in advance by HBO Scandinavia and HBO Spain.
These incidences brought about a lot of chatter online regarding the HBO series leaks.
This made it easy for these hackers to use the early Game of Thrones releases to promote their phishing campaign.
A cyber-espionage group from China has been using the recently leaked episodes of Game of Thrones to lure their target victims into opening infected documents that were sent through email.
The group, discovered by Proofpoint, is popularly known as Deputy Dog (aka APT17), and has been sending messages with a subject asking their target victims if they wanted to watch Game of Thrones episodes in advance.
The subject of this email was designed to entice their target victims to download the attachments in the email so they can watch the new GoT episodes.
The weaponized attachments were baited with an OLE Packager shell objects or LNK file that was embedded in the emails, to execute a PowerShell script.
The script then installs the diskless 9002 RAT (Remote Access Trojan).
Once these Trojans are installed, the hacker gains total access and command over the infected device.
The use of HBO’s Game of Thrones was mainly to increase the efficiency of their hacking campaign.
This is a regular threat actor technique that aims to develop baits that are both relevant and timely, to play on the natural human curiosity to click on something that promises rewards, which is ultimately how malware gets spread online.
Deputy Dog, AKA the APT17
It is believed that the APT17 group hails from China. This group has an extensive history of hacking, among other cyber-crimes, that date back almost 10 years.
Some of their most famous attacks include Operation Aurora and Operation Ephemeral Hydra.
The researchers at Proofpoint were able to trace the attack back to the Deputy Dog group due to similarities with a previous campaign by the same group that was conducted back in April 2014.
The security experts found several ZIP compressed files that contained a similar LNK downloader that was uploaded to an unscrupulous file-scanning service.
The malicious LNK files had the same volume serial number.
The LNK filename of one of the Game of Thrones phishing campaigns almost resembles one of the LNK filenames in the 2014 campaign.
The filename in the 2014 campaign was Party00[1-35].jpg.lnk, whereas the 2017 file name was dubbed Party-00[1-5].jpg.lnk.
The theme party photos and stock-JPGs used in both the 2014 and 2017 campaigns were also remarkably similar.
Another similarity was noted in the utilization of some of the codes from the Java Reverse Metasploit-Stager in the exploits that had been analyzed by FireEye.
In 2016, cyber crimes cost the global economy at least $450 billion.
Hackers have been able to build an impressive business model with their latest victim being Home Box Office (HBO).
However, with APT17’s recent cyber attack tactic, it goes to show just how difficult it is for organizations to detect and prevent advanced threats.
Despite a company’s attempt to block cyber attacks, the use of lures that target natural human behaviors, combined with the sophisticated delivery mechanism and powerful cyber attack tools such as the latest version of 9003 RAT, gives hackers a better advantage of hacking into corporate data and systems.
The only way companies can prevent such attacks is through ongoing anti-phishing campaigns and employee training on what messages to open and which ones to pass.
Otherwise, companies will remain prone to such hacks, as they are easy prey for the actors behind these cyber attacks.