Malware Using Mandiant Name In Scareware Scam, Company Says


Mandiant, the company responsible for connecting China to a string of lengthy targeted campaigns against U.S. companies, said it has been notified of a scareware campaign that attempts to extort money from victims.

The company on Friday said device owners reported being targeted in a ransomware campaign that tricked victims into believing their computer had been locked. A phony message sent by the attacker said Mandiant, Interpol, the FBI and the USA Cyber Crime Center had locked the victim's system pending the payment of a fine, the company said.

A Mandiant spokesperson said the company didn't have any additional information about the scareware campaign on Friday. Ransomware is a common attack technique used by financially motivated cybercriminals.

[Related: Chinese Group Tied To Massive, Ongoing Cyberattacks In U.S.]

"We’re still actively investigating the issue," the spokesperson told CRN. "Mandiant has no involvement with this malware or the scam."

Ransomware typically initially infects victims through an attack website, say security researchers. It also spreads through phishing campaigns by luring the victim to open a malicious attachment, according to Microsoft, which recently analyzed Reveton, a popular ransomware campaign behind the Citadel banking Trojan. The attacks have been on the rise globally, Microsoft said.

Mandiant has been increasingly in the public eye following a highly publicized report in February that exposed how groups believed to be controlled by the Chinese government infiltrated more than 100 businesses to steal intellectual property and spy on executives. The firm said in May that its cyberespionage report disrupted the group's operations. Phishing attacks using messages containing a malicious file attachment with a phony Mandiant report soon followed.

The FBI has issued multiple warnings about ransomware attacks in recent years. It said that attacks sometimes lock up a victim's computer screen, encrypting the data until a fee is paid. Security researchers at Webroot have been tracking a recent spike in ransomware activity. The company said in May that it recommends users periodically back up their data.

Symantec said on Wednesday that fake computer lockers are everywhere. The company released analysis of Shadowlock, a Trojan that infects victims' machines, locks them up and forces them to take an online survey. Symantec researchers reverse engineering the malware said they detected a music file in the form of the five-tone melody from the movie "Close Encounters Of The Third Kind."

In addition to shutting down the victim's browsers, Shadowlock disables system tools to maintain persistence on the victim's machine. It disables the Windows firewall and has the ability to redirect victims to pornographic websites. In addition, it can "swap mouse buttons, open the CD tray, or launch basic OS apps like Calculator or MS Paint," wrote Fred Gutierrez, a Symantec researcher.

Gutierrez said many of the functions of the Trojan were not being used, indicating that the malware author could be testing it or merely using it to direct users to the online survey scam. Shadowlock is not widespread, he said.

"These functions [as well as others] may find themselves being used in a future variant," Gutierrez wrote.

PUBLISHED JULY 15, 2013