Christchurch terrorist's banned rant booby trapped with disk wiper

By

Overwrites disk master boot records.

People trying to get hold of the illegal document written by mass murderer Brenton Tarrant, who killed 50 people in gun attacks at two mosques in Christchurch could download more than just a racist rant, security researchers say.

Christchurch terrorist's banned rant booby trapped with disk wiper

Security vendor Blue Hexagon said someone has made available a version of Tarrant's document that contains destructive malware that wipes hard drives.

The trojanised Word file was found on the same upload sites that were linked to in a post on a board at the 8chan site, from where the original document could be found. Blue Hexagon's analysis of the Word document showed that it contains a malicious, obfuscated Visual Basic for Applications script.

When the VBA script runs, it attempts to download a small Portable Executable binary file named "Haka.exe" for Microsoft's Windows operating system. 

Blue Hexagon researcher Irfan Asrar told iTnews that two versions of the PE had been found.

After execution, the PE file overwrites the master boot record (MBR) on users' hard disks; the first variant  displays a message saying "This is not us!", a quote from prime minister Jacinda Ardern's initial reaction to the Christchurch massacre, after the computer is rebooted.

The second variant displays "All Blacks Rule!", a reference to New Zealand's national rugby team.

There is no other functionality in the malware.

Blue Hexagon has not been able to identify who created and distributed the malware, but noted that the file's meta data has "Maori" as the author's name.

Security researcher Te Rangikaiwhiria Kemara told iTnews that the use of te reo Māori and a reference to the All Blacks is not an indication that the malware was written in New Zealand.

"Most malware developers would always try to misdirect anyone decompiling the code as to their location and of course their identity. Attribution is hard," Kemara said.

The New Zealand government outlawed the possession and distribution of Tarrant's document and the video that he live streamed on Facebook.

 

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

NSW Police to embark on $126m IT overhaul

NSW Police to embark on $126m IT overhaul

CBA looks to GenAI to assist 1200 'security champions'

CBA looks to GenAI to assist 1200 'security champions'

Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls

WestJet probes cyber security incident

WestJet probes cyber security incident

Log In

  |  Forgot your password?