Christchurch terrorist's banned rant booby trapped with disk wiper

By

Overwrites disk master boot records.

People trying to get hold of the illegal document written by mass murderer Brenton Tarrant, who killed 50 people in gun attacks at two mosques in Christchurch could download more than just a racist rant, security researchers say.

Christchurch terrorist's banned rant booby trapped with disk wiper

Security vendor Blue Hexagon said someone has made available a version of Tarrant's document that contains destructive malware that wipes hard drives.

The trojanised Word file was found on the same upload sites that were linked to in a post on a board at the 8chan site, from where the original document could be found. Blue Hexagon's analysis of the Word document showed that it contains a malicious, obfuscated Visual Basic for Applications script.

When the VBA script runs, it attempts to download a small Portable Executable binary file named "Haka.exe" for Microsoft's Windows operating system. 

Blue Hexagon researcher Irfan Asrar told iTnews that two versions of the PE had been found.

After execution, the PE file overwrites the master boot record (MBR) on users' hard disks; the first variant  displays a message saying "This is not us!", a quote from prime minister Jacinda Ardern's initial reaction to the Christchurch massacre, after the computer is rebooted.

The second variant displays "All Blacks Rule!", a reference to New Zealand's national rugby team.

There is no other functionality in the malware.

Blue Hexagon has not been able to identify who created and distributed the malware, but noted that the file's meta data has "Maori" as the author's name.

Security researcher Te Rangikaiwhiria Kemara told iTnews that the use of te reo Māori and a reference to the All Blacks is not an indication that the malware was written in New Zealand.

"Most malware developers would always try to misdirect anyone decompiling the code as to their location and of course their identity. Attribution is hard," Kemara said.

The New Zealand government outlawed the possession and distribution of Tarrant's document and the video that he live streamed on Facebook.

 

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Qantas facing 'significant' data theft after cyber attack

Qantas facing 'significant' data theft after cyber attack

Home Affairs officer accessed data on "friends and associates"

Home Affairs officer accessed data on "friends and associates"

Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks

International Criminal Court hit by cyber attack

International Criminal Court hit by cyber attack

Log In

  |  Forgot your password?