What is the issue - A modified version of the Christchurch attack suspect’s manifesto is circulating online. This weaponized version includes a payload.
Why it matters - The payload overwrites the master boot record (MBR) with a message ‘This is not us!’, which is displayed after the system restarts.
Last week, a manifesto authored by the suspect who is charged with carrying out terror attacks in two mosques in Christchurch was circulated online. The manifesto titled ‘The Great Replacement’ was in multiple file formats such as MS Word and PDF.
The big picture
The original manifesto was removed from the sites where it was initially posted and the New Zealand government announced that the distribution and possession of the manifesto are objectionable under the law.
However, the modified version of the manifesto that includes a malicious payload is being distributed online. This modified version was uncovered by Blue Hexagon Labs.
The author info in this modified version reveals that the author is Maori. This version also includes the symbol of the ‘Maori’ in the third page, which is not part of the original manifesto.
The bottom line - Researchers noted that the payload ‘Trojan Haka’ does not make any changes that can’t be reverted. Attackers purpose is not monetary but just to deliver their own malicious payload and make a statement.
“Other than being disruptive, there is no motivation; such as a monetary one to be found in this attack. However, it is likely that similar techniques could be used by threat actors to get users interested in these current events to open a weaponized version of the document and deliver their own malicious payload,” researchers wrote in a blog.