Categories: SecurityWorkspace

Surveillance Malware Targets UAE Activist As Exploit Sellers Implicated

A prominent activist from the UAE has been targeted by surveillance malware likely to have been created by an Italian company, with a French exploit seller implicated too, according to researchers.

Ahmed Mansoor, a blogger and part of the UAE Five, a group of Emirati activists who were imprisoned from April to November 2011 on charges of insult, was targeted by surveillance malware, according to Citizen Lab.

Mansoor was sent an email with a malicious attachment, which appeared to be a Microsoft Word file called ‘veryimportant.doc’, but was really an RTF file containing an exploit which allows the execution of code that downloads surveillance malware.

Exploit sellers involved?

The exploit, which causes a buffer overflow in the RTF format to let the malware’s code be written onto a system’s memory, has been linked to the French exploit seller VUPEN.

The malware has been linked to Italian firm Hacking Team, which was implicated in creating a Mac OS Trojan, which was allegedly based on its Da Vinci cyber espionage tool.

“This information indicates that the sample matching ‘veryimportant.doc’ may be a demo copy of the Hacking Team RCS [Remote Control System] backdoor,” the researchers said. They pointed to promotional materials for the backdoor, which claim to offer surveillance on various communications, including email, instant messaging and Skype.

“The same promotional document mentions “Zero-day exploits” as a possible remote infection vector. An additional sample which appears to install HackingTeam RCS was discovered in Virus Total,” the researchers added.

“This sample uses an exploit that has similarities in shellcode with ‘veryimportant.doc’. However, the exploit it uses is newer, the Adobe Flash Player ‘Matrix3D’ Integer Overflow. Searching for the origin of this exploit revealed a public mailing list post taking credit for discovery of this bug stating: ‘This vulnerability was discovered by Nicolas Joly of VUPEN Security’.”

The researchers admitted it was “possible that the exploit used here was not written by VUPEN but was independently discovered and weaponised by another party”.

But they warned “social engineering and commercial surveillance software attacks against activists and dissidents is becoming more commonplace”.

VUPEN has distanced itself from the exploit. “Exploits described by CitizenLab are NOT ours and their allegations are only based on a vulnerability overlap with no real proof, too lame,” a tweet from VUPEN CEO Chaouki Bekrar tweeted.

Like Internet anonymity? Try our Anonymous quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago