The group behind the NetTraveler espionage malware campaign is now sending emails claiming the recipient is on the PRISM watch list, according to researchers.
PRISM is a recently outed US surveillance program run by the National Security Agency that collects data from internet giants such as Google, Facebook and Apple.
On Tuesday, the 9b+ blog, run by security engineer Brandon Dixon, reported that a malware-laden phishing email recently was added to VirusTotal.
It was sent with the subject "CIA's prism Watchlist" and contained a malicious Microsoft Word document titled "Monitored List 1.doc," which takes advantage of a Windows Common Controls vulnerability that was patched in April 2012.
According to 9b+, the email targeted a member of the Tibetan Youth Congress in India. As a humorist twist, the sender claims to be Jill Kelley, which likely is referencing the Kelley whose complaint to the FBI about receiving threatening emails led to the exposure last year that CIA Director David Petraeus, who has since resigned, was involved in an extramarital affair with Paula Broadwell, the author of his biography.
Earlier this month, security firm Kaspersky Lab lifted the mask off the NetTraveler espionage campaign, which is targeting hundreds of organizations around the globe – and attackers are using two commonly exploited flaws in Microsoft Word to steal corporate data.
Kaspersky researchers released an analysis about the NetTraveler toolkit, which is capable of exfiltrating data – like file system listings, PDFs and Excel and Word documents – from infected machines.
According to the security company, the campaign has been active since early 2004, though the majority of infections occurred in the last three years. Throughout the extensive campaign, the NetTraveler group has infected 350 victims in 40 countries in which government and military organizations, activists, oil and gas companies and research centers were the primary targets.
"It's funny to note that these actors are keeping up with their same techniques and infrastructure (not all of it) despite being 100% outed," the 9b+ post said. "Again, this sort of behavior shows poor operational security or a complete lack of care...Whatever the domain or IP address used in the attack is, you can be sure that there will be other emails and malicious documents like it."