Fake Video About Malaysian Airlines Flight MH370 Hides Malware

The number of scams leveraging the story of the missing plane is growing

By on March 18th, 2014 15:51 GMT

Cybercriminals are leveraging the incident involving the Malaysian Airlines MH370 flight to distribute a piece of malware that enables them to open a backdoor on infected computers.

At this point, there is the possibility that we might never find out how the airplane disappeared. There are all sorts of theories, but none of the 25 countries involved in the search for the missing airplane have come up with any valuable information.

While the topic is still hot, cybercriminals and scammers are doing everything they can to leverage this incident to their advantage.

The first scam related to this topic emerged last week when Facebook posts advertising a video of MH370 being found in the Bermuda Triangle started making the rounds. At the time, scammers were simply trying to trick users into completing surveys and driving traffic to a bogus video website.

Now, researchers from Trend Micro have uncovered a file that’s advertised as being a five-minute clip about the flight. The file is called “Malaysian Airlines MH370 5m Video.exe” and experts believe it’s being distributed via email.

When it’s executed, a backdoor (BKDR_OTOPROXY.WR) is unleashed, enabling cybercriminals to execute commands on the infected device, retrieve system information, and download and execute additional malicious elements.

The command and control (C&C) server used in this attack was previously spotted back in October 2013 when it was being utilized in a targeted attack by sophisticated cybercriminals.

“It is unusual for a targeted attack to share the same infrastructure as a more “conventional” cybercrime campaign, yet that appears to be the case here. We currently have no information that this particular backdoor is being used in targeted attacks,” Trend Micro’s Rika Joi Gregorio noted in a blog post.

Trend Micro has also analyzed the Facebook scam according to which the plane was found in the Bermuda Triangle. Experts found that the scam page was accessed by users in North America (32%) and ones from the Asia-Pacific region (40%).

Chris Boyd, a malware intelligence analyst at Malwarebytes, has told Wired that there are some others headlines used in these scams. The list includes “[Shocking Video] Malaysian Airlines missing flight MH370 found in Sea,” “Malaysian Airlines missing flight MH370 found in Sea - 50 people alive saved” and “CNN UPDATE [Breaking]Malaysian Airplane MH370 Already Found. Shocking Video.”

In the meantime, experts are wondering if someone could have hijacked the plane by hacking into its on-board computer system. Some say it’s a plausible scenario, but many doubt it.

Comments