Just as people express their political views through art, malware developers express their political ideologies, hopes, and frustrations through the computer infections they create.
While investigating a recent malspam campaign, the Cisco Talos Group noticed that the payload was named Trump.exe. Noticing the politically themed name, Talos began researching other malicious programs that contained political references or themes and found hundreds of examples.
“Pivoting off of these campaign, we began to look for other IOCs that utilized political references,” the Talos Group explained in their report. “We developed a list of various names, terminology and iconography that has generated headlines across the political spectrum over the past few years. We then began a search throughout various malware repositories and discovered that not only were political names and iconography surprisingly common, but the results produced a wide variety of threats and was almost a microcosm of what we see on the threat landscape daily.”
Below are some of the politically-themed threats organized by the politician that were found by Talos as well as one discovered by BleepingComputer.
In 2016, right before a September 26th Presidential debate between Donald Trump and Hillary Clinton, I began searching for malware based around these candidates.
As part of this search, I found a new in-development ransomware called “This is the Donald Trump Ransomware“. While this ransomware never actually made it into the wild, it does show how politics influence malware developers, even during an election season.
In addition to the above ransomware, the Talos Group also found the “Donald Trump Screen of Death”, which is a screen locker that attempted to lock you out of Windows while showing various pictures of President Trump.
It is not only malware, though, that wants to join the political fray.
The Talos Group also found the Trump Crypter, which is used to obfuscate malware code so that it not detected by security software. The program itself, though, is not harmful to a computer.
In October 2016, right before the U.S. Presidential Election, a screenlocker called “CIA Election AntiCheat Control” was found. This malware showed a picture of Hillary Clinton and Donald Trump that told victims to send $50 USD or their upcoming election vote would not count.
Not all politically motivated samples are malicious, as Cisco Talos Group also found a harmless program called Dancing Hillary that allowed you to make Hillary Clinton dance around the program.
Not to be left out, malware developers have also created infections that targeted former President Barack Obama.
In 2017, I was alerted to a new Sanctions Ransomware that was actively infecting victims and encrypting their files. What made this ransomware so interesting was the political message in the ransom note showing what Russians thought of the sanctions imposed on Russia by President Barack Obama.
While the above ransomware was an actively spread infection, another ransomware that appeared to have been more of a joke was discovered called “Barack Obama’s Everlasting Blue Blackmail Virus“. This infection would encrypt files, but only .exe files, which made it quite useless.
In addition to malware, the Cisco researchers also found an injector using an Obama theme for their programs. Injectors are used to inject malicious code into legitimate processes in order to hide their presence from security software.
Not only about U.S. politicians
While a lot of the discovered infections used U.S. political figures as their themes, others politicians from the world stage are also present.
Not surprisingly, Russian President Vladimir Putin was the theme for many infections as shown by a screenlocker called PuTiN Lockware that was discovered by Talos.
The Talos Group also discovered a sample of the njRAT Remote Access Trojan that displayed a decoy file of Putin winking when the infection was installed. Little did the victims know, though, that the attackers now had full control of their computer.
Angela Merkel, the Chancellor of Germany, was also the theme for a ransomware that we reported on in 2016. This ransomware would encrypt a victims files and append the .angelamerkel extension to encrypted files.
Using malware to protest world events or countries
Malware developers also create infections that are used to protest current world issue or countries that they disagree with.
For example, in August 2017 a data wiper called IsraBye was discovered that contained anti-Israel messages as a protest against Israel officials installing new security measures at the Al Aqsa mosque in Jerusalem.
Another ransomware was discovered called RansSIRIA that stated all ransom payments would be donated to Syrian refugees.
The plight of the Syrian people was also recognized by the developers of the notorious GandCrab ransomware, who decided that they would release decryption keys for free to any Syrians who were infected by their ransomware.
“The most important thing is not to indicate that he will help everyone. He will help only a citizen of Syria. Because of their political situation, economic and relations with the CIS countries.
We regret that we did not initially add this country to the exceptions. But at least that way we can help them now.”
As we move into the U.S. Presidential Election and as world-wide politics continue to unfold, it should be expected that we will continue to see developers using malware to express their political views.
INDICATORS OF COMPROMISE (IOCS)
The following IOCs have been observed as being associated with these malware campaigns.
The following file hashes have been observed as being associated with malware, please note that we are only including the hashes of the malicious files we found:
6a60cd318d1bbae691afa685e1b21799fa62c2581231309bc4d6d2a88270fbeb (Trump Crypter)
057635f414ae4f9febeca5e6325c9d0e3c3b2e4119e6e6032ea13744e031df01 (Putin Hook)
47ffdd88735c5c9d20370b4a0b6b4aaabeaaa13b40ac488ecca788d5e7ee491f (Putin Locker)
c12da1253c554b1b952eb3fa45818e267c2ccccf2147981ac3c31bbcb5d84c23 (Putin Injector)
b01718fd2c768e9564fb087ab560f91b85cfd46eab25987ca15c6ba01848e09f (Obama Injector)
60fff84d43d1a18494d44b9bdb9776a71f6cc30373c8fbb663877ab7e28a7581 (Donald Trump Screen of Death)
4cea9dbc941756f7298521104001bc20cb73cfdda06a60a9e90760188661f5e4 (Donald Trump Ransomware)
df2ea575168063c53454b5f07f2741d728276309049a5b8906948cbc653fea71 (Word Maldoc)
d7ef08aabb432d58ddc6a5a6c286c3b729c9085a987e46a6a82652fff4461ef2 (Excel Maldoc)
bf1a40987d0040ba0672cce074e583132b1a9f559692cd597e8319d94eebca81 (RTF Maldoc)