Malicious malware targets journalists, free press organizations

Last week the Executive Director of the Committee to Protect Journalists received an email that looked like it was sent from a colleague at sibling organization World Press Freedom Committee.

The email contained disguised malware - that, if executed, would have allowed remote surveillance by an unknown party.

Every year journalists around the world are murdered in reprisal for reporting on (and in) places such as Syria and Somalia.

Non-governmental organizations like the Committee to Protect Journalists fight to protect high-risk journalists and defend global free press violations.

In doing so the CPJ takes on dangerous international cases of abduction, attacks, censorship, expulsion, harassment, imprisonment and murder of journalists and media professionals worldwide.

Now their work has put them square in the crosshairs of malevolent malware attacks.

The Committee to Protect Journalists has come forth with detailed information about how it was targeted with tactics of carefully conceived impersonation to insert malware onto one of its key computers.

The first red flag for CPJ Director Joel Simon was a slight misspelling of colleague Rony Koven's name - the email came from a Yahoo email address with the name "Rony Kevin."

CPJ's Internet Advocacy Coordinator Danny O'Brien described the email saying,

The subject of the mail was "Fw: Journalists arrested in Gambia," and the content of the mail was boilerplate text about reporters who had been recently imprisoned, followed by "Please review the attachments for more information."

The text was actually copied and pasted from this Article 19 alert. The text promised more information in an attached ZIP file, called "Details," which it said was password encoded with the letters "CPJ."

The CPJ explained that since software attacks on organizations such as theirs are on the rise, this particular malware attempt was a good example for discussion.

Naturally, the seasoned organization didn't open any of the suspicious attachments. Instead the CPJ quarantined the email package for examination and forensics work.

There were five items in the .zip file. It contained a text file, three photographs of Gambian journalists - and a Windows executable disguised as an image file.

When activated, the executable was indeed malware set to unpack itself, run in the background and communicate from the Director's computer to a machine that security researcher Morgan Marquis-Boire located in Indonesia.

O'Brien emailed the Indonesian server's admins to no avail.

That's probably because in this instance the machine in Indonesia is only acting as a remote server, rather than the final destination for information the malware would send to the originating party.

In plain terms, when malware is installed on someone's computer it is controlled from a remote machine - through another machine.

But understanding the kind of malware used to attack the Committee to Protect Journalists is a bit more revealing.

While the objective of the malware is still in question, traditionally the kind of malware in CPJ's fake Gambian email is used to log keystrokes and possibly facilitate access to email and other types of online accounts. A standard type of online account compromised in this kind of malware instance would be Skype -  malware like this commonly includes Skype access.

Unfortunately this kind of attack on free press organizations - and journalists - is becoming more common as malware toolkits increase in availability in the international computer underground.

O'Brien stressed the weight of the attack's intent by examining its social engineering details:

The fake identity of the email's source and the content about Gambian journalists suggest that somebody had dedicated some time to understanding CPJ, its interests, and its network of partners. (...)

Whoever sent this wanted access to CPJ's computers in particular, and was willing to spend at least some resources obtaining information that would make their emails convincing to us, and perhaps other international press freedom groups like the World Press Freedom Committee and Article 19.

This attack failed, but all parties on the defense team are certain that more malware attempts are inevitable.

O'Brien believes that the targets are not solely organizations like his, but in fact the journalists, free press and media that CPJ seeks to protect.

With 85 journalists killed in 2011 (plus 179 imprisoned), the 55 journalists murdered so far this year, and an increasing availability for malware kits - stories about malware attacks on free press organizations may become disturbingly common.