The Game of Thrones fantasy might have hooked you to its latest updates now and then. Along with the episodes, you might have as well enjoyed the leaks streaming across the web. Well, while you fancy all this, you might have fallen prey to operation 9002 RAT. This remote access trojan (RAT) could lure to download malware into your devices. What’s more, it can exfiltrate your personal and confidential data.
The Game of Thrones episodes have been found to doing the rounds across emails. To apprise you, it is one of the phishing attacks. It has been established to be carried out by a Chinese hackers’ group.
However, this has in no connection being teamed with the hacking community of HBO attacks. These 9002 RATs have previously showed up in Asian country hacks, Operation Aurora, and Operation Ephemeral Hydra.
The Chinese state-owned virtual attackers are tagged as Deputy Dogs. They are also codenamed as APT17 and Group 27.
The investigation into these spear-phishing mails were carried out by Proofpoint researchers. They have discovered the hackers to be a cyber espionage community in China. The first infected mail was observed on August 10, when the leaks of the season were taking a toll over the web.
The targeted victims of these malware attacks were majorly tech-oriented sectors. Nonetheless, the security experts proclaimed that this phishing attack could come as a threat to corporate systems and data.
The spoofed emails were sent out with a catchy title as: ‘Wanna see the Game of Thrones in advance?’ The message described general details about the episodes, alongside the price with which the early bird video could be grabbed. It also contained a Microsoft Word file, which allegedly housed the malware.
The attachment was labeled as ‘game of thrones preview.docx”. But researchers reviewed this ‘preview’ as an OLE packager shell object. It was a .LNK file, which could execute the malignant PowerShell script. This would ultimately lead to the installation of the diskless 9002 RAT.
“The use of a Game of Thrones lure during the penultimate season of the series follows a common threat actor technique of developing lures that are timely and relevant, and play on the human factor – the natural curiosity and desire to click that leads to so many malware infections,” Proofpoint security experts pointed out.
This 9002 attempt was noted to be similar to the 2014 hack in terms of the payload, file name, code, themes and images. The Volume Serial Number of LNK files in both the campaigns displayed 0xCC9CE694.
Proofpoint researchers have been successful in warding off the 9002 RAT GoT phishing scheme. Nonetheless, it has warned that such phishing mails could lure you to the verge of danger in future too. So, it is advised that you watch out for such risks over the net. Avoid jumping onto unofficial or illegal content anywhere across the web. Anyways, prevention is always better than cure.
