People trying to get hold of the illegal document written by mass murderer Brenton Tarrant, who killed 50 people in gun attacks at two mosques in Christchurch could download more than just a racist rant, security researchers say.
Security vendor Blue Hexagon said someone has made available a version of Tarrant's document that contains destructive malware that wipes hard drives.
The trojanised Word file was found on the same upload sites that were linked to in a post on a board at the 8chan site, from where the original document could be found. Blue Hexagon's analysis of the Word document showed that it contains a malicious, obfuscated Visual Basic for Applications script.
When the VBA script runs, it attempts to download a small Portable Executable binary file named "Haka.exe" for Microsoft's Windows operating system.
Blue Hexagon researcher Irfan Asrar told iTnews that two versions of the PE had been found.
After execution, the PE file overwrites the master boot record (MBR) on users' hard disks; the first variant displays a message saying "This is not us!", a quote from prime minister Jacinda Ardern's initial reaction to the Christchurch massacre, after the computer is rebooted.
The second variant displays "All Blacks Rule!", a reference to New Zealand's national rugby team.
There is no other functionality in the malware.
Blue Hexagon has not been able to identify who created and distributed the malware, but noted that the file's meta data has "Maori" as the author's name.
Security researcher Te Rangikaiwhiria Kemara told iTnews that the use of te reo Māori and a reference to the All Blacks is not an indication that the malware was written in New Zealand.
"Most malware developers would always try to misdirect anyone decompiling the code as to their location and of course their identity. Attribution is hard," Kemara said.
The New Zealand government outlawed the possession and distribution of Tarrant's document and the video that he live streamed on Facebook.
.jpg&w=100&c=1&s=0)
.jpg&w=100&c=1&s=0)
