Modified version of Christchurch attack's manifesto delivers ‘Trojan Haka’ payload

• The modified version contains an obfuscated VBA script code that attempts to download the second stage payload.
• The payload overwrites the Master Boot Record (MBR) with a message ‘This is not us!’, which is displayed after the system restarts.

What is the issue - A modified version of the Christchurch attack suspect’s manifesto is circulating online. This weaponized version includes a payload.

Why it matters - The payload overwrites the master boot record (MBR) with a message ‘This is not us!’, which is displayed after the system restarts.

Worth noting

Last week, a manifesto authored by the suspect who is charged with carrying out terror attacks in two mosques in Christchurch was circulated online. The manifesto titled ‘The Great Replacement’ was in multiple file formats such as MS Word and PDF.

The big picture

The original manifesto was removed from the sites where it was initially posted and the New Zealand government announced that the distribution and possession of the manifesto are objectionable under the law.

However, the modified version of the manifesto that includes a malicious payload is being distributed online. This modified version was uncovered by Blue Hexagon Labs.

The author info in this modified version reveals that the author is Maori. This version also includes the symbol of the ‘Maori’ in the third page, which is not part of the original manifesto.

• The modified version contains an obfuscated VBA script code that attempts to download the second stage payload.
• The second stage payload is an executable PE file named ‘Haka.exe’.
• Blue Hexagon has dubbed this payload as ‘Trojan Haka’.
• The payload overwrites the master boot record (MBR) with a message, which is displayed after the system restarts.
• When the system restarts, it displays the message ‘This is not us!’.

The bottom line - Researchers noted that the payload ‘Trojan Haka’ does not make any changes that can’t be reverted. Attackers purpose is not monetary but just to deliver their own malicious payload and make a statement.

“Other than being disruptive, there is no motivation; such as a monetary one to be found in this attack. However, it is likely that similar techniques could be used by threat actors to get users interested in these current events to open a weaponized version of the document and deliver their own malicious payload,” researchers wrote in a blog.