iTnews

Christchurch terrorist's banned rant booby trapped with disk wiper

By Juha Saarinen on Apr 1, 2019 12:50AM
Christchurch terrorist's banned rant booby trapped with disk wiper

Overwrites disk master boot records.

People trying to get hold of the illegal document written by mass murderer Brenton Tarrant, who killed 50 people in gun attacks at two mosques in Christchurch could download more than just a racist rant, security researchers say.

Security vendor Blue Hexagon said someone has made available a version of Tarrant's document that contains destructive malware that wipes hard drives.

The trojanised Word file was found on the same upload sites that were linked to in a post on a board at the 8chan site, from where the original document could be found. Blue Hexagon's analysis of the Word document showed that it contains a malicious, obfuscated Visual Basic for Applications script.

When the VBA script runs, it attempts to download a small Portable Executable binary file named "Haka.exe" for Microsoft's Windows operating system. 

Blue Hexagon researcher Irfan Asrar told iTnews that two versions of the PE had been found.

After execution, the PE file overwrites the master boot record (MBR) on users' hard disks; the first variant  displays a message saying "This is not us!", a quote from prime minister Jacinda Ardern's initial reaction to the Christchurch massacre, after the computer is rebooted.

The second variant displays "All Blacks Rule!", a reference to New Zealand's national rugby team.

There is no other functionality in the malware.

Blue Hexagon has not been able to identify who created and distributed the malware, but noted that the file's meta data has "Maori" as the author's name.

Security researcher Te Rangikaiwhiria Kemara told iTnews that the use of te reo Māori and a reference to the All Blacks is not an indication that the malware was written in New Zealand.

"Most malware developers would always try to misdirect anyone decompiling the code as to their location and of course their identity. Attribution is hard," Kemara said.

The New Zealand government outlawed the possession and distribution of Tarrant's document and the video that he live streamed on Facebook.

 

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
christchurch malware microsoft word security terrorism

Partner Content

Why companies fail at picking cloud modernisation partners
Promoted Content Why companies fail at picking cloud modernisation partners
Beat the DDoS blackmails in 2021
Promoted Content Beat the DDoS blackmails in 2021
As Australian companies lean more heavily on the cloud, edge security is finding its stride
Partner Content As Australian companies lean more heavily on the cloud, edge security is finding its stride
Preventing cybercrime in the world of forex trading
Promoted Content Preventing cybercrime in the world of forex trading

Sponsored Whitepapers

The top 5 tech trends to deliver business outcomes
The top 5 tech trends to deliver business outcomes
10 reasons why businesses need to invest in cloud security training
10 reasons why businesses need to invest in cloud security training
Your guide to application security solutions
Your guide to application security solutions
State of Software Security: Open Source Edition
State of Software Security: Open Source Edition
Five questions to ask before you upgrade to a SIEM solution
Five questions to ask before you upgrade to a SIEM solution

Events

  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
  • [iTnews and Micro Focus] Navigating the cloud modernisation minefield
By Juha Saarinen
Apr 1 2019
12:50AM
0 Comments

Related Articles

  • US authorities charge alleged Netwalker ransomware affiliate
  • Police take over global Emotet infrastructure
  • Ransomware gang Ryuk thought to have pulled in US$150 million
  • FireEye, GoDaddy and Microsoft flick SolarWinds SUNBURST 'killswitch'
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

TPG Telecom to start enticing NBN customers to move

TPG Telecom to start enticing NBN customers to move

Infosys scores another $40m for Centrelink payments engine build

Infosys scores another $40m for Centrelink payments engine build

Telstra InfraCo opens up telco's own fibre network

Telstra InfraCo opens up telco's own fibre network

Transport for NSW data stolen in Accellion breach

Transport for NSW data stolen in Accellion breach

You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.