Symantec warns of new spam campaign designed to feed on people’s fear of terrorism.
Symantec’s Lionel Payet has written a blog post for the company, warning that a new wave of spear-phishing emails containing Backdoor.Sockrat trojan are now doing the rounds.
According to Symantec, they noticed malicious emails spoofing the address of Middle Eastern law enforcement agencies earlier in November. The emails read like a warning from the police and carry attachments purporting to contain valuable security tips.
Payet notes:
The emails come with two attachments, one of which is a PDF file that is not actually malicious but acts as a decoy file. The malware resides in the other attachment, an archive, as a .jar file. Further analysis of the malware confirms that the cybercriminals behind this campaign are using a multiplatform remote access Trojan (RAT) called Jsocket (detected as Backdoor.Sockrat). This RAT is a new product from the creators of the AlienSpy RAT, which has been discontinued earlier this year.
Although at present the campaign is only targeting companies and employees in the UAE, Symantec has seen similar spear-phishing campaigns in Canada, Turkey and Bahrain. The company warns that we may see new email models targeting additional countries.
Symantec carries the following advice on its website:
Symantec advises users to remain vigilant and be wary of social engineering techniques to protect their data. Users are advised to adhere to the following best practices to avoid getting infected:
- Do not open attachments or click on links in suspicious email messages
- Avoid providing any personal information when answering an email
- Never enter personal information in a pop-up page or screen
- Keep security software up to date
- If uncertain about an emails legitimacy, contact your internal IT department or submit the email to Symantec Security Response through this portal
