With less than a week to go with the 2020 US Presidential Elections, endorsement and campaign ads are everywhere. From Ads on social media to network TV, individuals supporting the respective campaigns are in full swing in the last push before the historical November 3rd election.
But the one place you least expect to see an endorsement is in a malware campaign. We believe the attack, which appears to have originated in Eastern Europe, first noticed around the start of October; our AI HexNet identified a new variant campaign using Agent Tesla, but what was more interesting was that one of the features flagged had a politically themed context. Namely text that closely resembles an endorsement for the Trump/Pence ticket.
Content of the Strings in the binary
Our initial concerns were around the question(s), if this was a targeted attack and if there was any connection to the attack/defacement on the Trump campaign official website which was also reported around the same time. Based on the results of our analysis, we don’t believe the goal was to target the Democratic party or individuals associated with the Biden election campaign directly. And, despite the fact the timeline for the campaign overlapped with the defacement of the Trump 2020 Campaign website, no association can be made with the attackers behind the defacement of the Trump Campaigns official website.
President Trump’s campaign website was briefly and partially hacked Tuesday afternoon.
Although we haven’t truly confirmed if the intent of embedding the string Trump2020 by the malware author was with the purpose of an endorsement of the Trump Campaign, the string really serves no other purpose in the code and is never displayed to the infected user. The string remains a mystery only known to its author.
INDICATORS OF COMPROMISE:
AGENT TESLA DROPPERS/LOADERS:
220.127.116.11 over 587