Recently cybersecurity researchers found that ransomware is actually seasonal as it appears during some particular months of the year. This time cybersecurity researchers found that the hackers are trying to form a new kind of malware with a particularly political hook, as they found a payload named Trump.exe while investigating a recent malspam campaign.
The researchers at Cisco Talos Group conducted an inspection of other malicious programs that contained political references or themes. After the checking, the security firm found hundreds of other examples, showing a huge potential risk for users. In a blog post, the researchers clearly mentioned what methodology cybercriminals are following.
As per the post, the researchers stated that they began to look for other IOCs that utilized political references and developed a list of various names, terminology and iconography that has generated headlines across the political spectrum over the past few years.
"We then began a search throughout various malware repositories and discovered that not only were political names and iconography surprisingly common, but the results produced a wide variety of threats and were almost a microcosm of what we see on the threat landscape daily," the post added.
While conducting the search operation the researchers found weird named ransomware, "Donald Trump Screen of Death". This is a screen locker that attempts to lock users out of their Windows device while showing them various pictures of US President Donald Trump. It shows a message on the screen, stating "Your computer got a Donald Trump Screen of Death! That means you're banned from your computer so buy a new computer! And good bye!"
The researchers also found another program Trump Crypter, a complicated malware code that was created to hide the malicious activity from the security software. The blog post also revealed that Talos Group came across multiple different, politically themed RAT campaigns and among those "that we saw delivered were Neshta, which utilized a theme around North Korean leader Kim Jong Un."
In addition, the researchers found an NjRAT campaign that delivered an unusual decoy image. This same image was used as the icon for the executable, aptly named "Papa-Putin.exe." They also found a Word document, which took several minutes to open, entitled with "12 things Trump should know about North Korea.doc." After further investigation, it was understood that the slow opening was related to the executable and DLLs that were being reconstructed from data present within the document itself.
