Blue Hexagon Blog

Blue Hexagon Labs Discovers Weaponized Version Of New Zealand Terror Suspect’s Manifesto

Over a week ago, a number of unverified posts surfaced on the site 8chan, along with links to a manifesto, allegedly authored by the terror suspect who is charged with carrying out the terrorist attacks in New Zealand. The attacks at two mosques left at least 50 people dead.

The original post of the manifesto was in multiple file formats including PDF and an MS Word version that was also linked to a Twitter account allegedly created by the terror suspect.

Figure 1 a: Manifesto in Microsoft Word

Figure 1 b: Post of the original manifesto on media sharing site MediaFire shows a time stamp of March 14th, 2019 at 6:30 am from New Zealand

Titled ‘The Great Replacement’, the 74-page manifesto was shortly removed from the respective site(s) it was initially posted to, but not before it began a new life via viral re-circulation on multiple forums/file sharing sites as well as social media sites.

Last weekend, New Zealand’s government officially declared the possession and distribution of the manifesto believed to be written by the suspect behind the Christchurch attack as objectionable under the law. But since then, it seems the underground circulation of the material associated with the attack has increased. It is worth noting that not all the redistribution seems to be sparked by the goal of spreading hate propaganda, but instead by plain old curiosity. This is the reason why postings related to the incident were widely shared on forums in China after references to that region were called out to be contained in the manifesto.  References to the same manifesto (and encouragement to read it in its entirety) were also made by officials in the US government.

Last weekend, New Zealand’s government officially declared the possession and distribution of the manifesto believed to be written by the suspect behind the Christchurch attack as objectionable under the law. But since then, it seems the underground circulation of the material associated with the attack has increased. It is worth noting that not all the redistribution seems to be sparked by the goal of spreading hate propaganda, but instead by plain old curiosity. This is the reason why postings related to the incident were widely shared on forums in China after references to that region were called out to be contained in the manifesto.  References to the same manifesto (and encouragement to read it in its entirety) were also made by officials in the US government.

However, caution is advised for anyone attempting to seek and download the content for review. In what can be described as a vigilante attempt to thwart the viral distribution, several links are now also distributing a trojanized version of the manifesto.

Fig 2: Pages from the Weaponized Manifesto. The third page contains symbols that are not part of the original manifesto.

The weaponized version of the document resembles content from the original manifesto but does have several distinguishing features.  The metadata from the original manifesto states the author as the name of the alleged suspect who has been arrested in connection with the terror attack, whereas the author info in the weaponized trojan says it was created by the author ‘Maori’ (a name for the indigenous people of New Zealand). The biggest difference in the weaponized version is the presence of the obfuscated VBA script code that attempts to download a second stage payload.

Fig 3: When executed, the sole purpose of the document is to download and execute a second stage payload called ‘Haka.exe’.

The second stage executable is a tiny PE file that has a single purpose. The functionality is limited to overwriting the Master Boot Record (MBR) with a message that is immediately displayed upon a forced reboot of the system after successful execution.

Once restarted, an infected system will display the following message.

Fig 5: Message displayed after the system reboots

Other than being disruptive, there is no motivation; such as a monetary one to be found in this attack. However, it is likely that similar techniques could be used by threat actors to get users interested in these current events to open a weaponized version of the document and deliver their own malicious payload.

Blue Hexagon’s proprietary HexNet deep learning models detected both components of this threat without having seen them before. We have dubbed the threat Trojan Haka based on content found in the final second stage payload.