# New Spear Phishing Campaign Pretends to be EFF **[eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff](https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff)** Technical Analysis by Cooper Quintin August 27, 2015 **Update 01/28/16: EFF** [now controls the Electronicfrontierfoundation.org domain and that](https://www.techdirt.com/articles/20151118/06451432850/wipo-gives-eff-control-over-bogus-domain-used-to-distribute-keyloggers-other-malware.shtml) URL currently redirects to this blog post. If you arrived at this page via a link in a message that may have been phishing, please let us know and we will investigate. Google's security team recently identified a new domain masquerading as an official EFF site as part of a targeted malware campaign. That domain, electronicfrontierfoundation.org, is designed to trick users into a false sense of trust and it appears to have been used in a spear phishing attack, though it is unclear who the intended targets were. The domain was registered on August 4, 2015, under a presumably false name, and we suspect that the attack started on the same day. At the time of this writing the domain is still serving malware. Electronicfrontierfoundation.org was not the only domain involved in this attack. It seems to be part [of a larger campaign, known as “Pawn Storm”. The current phase of the Pawn Storm attack](https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/pawn-storm-espionage-attacks-use-decoys-deliver-sednit) [campaign started a little over a month ago, and the overall campaign was first identified in an](http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-trend-micro-discovers-new-java-zero-day-exploit/) [October 2014 report from Trend Micro (PDF). The group behind the attacks is possibly associated](https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf) [with the Russian government and has been active since at least 2007.](http://blog.trendmicro.com/trendlabs-security-intelligence/operation-pawn-storm-ramps-up-its-activities-targets-nato-white-house/) [The attack is relatively sophisticated—it uses a recently discovered Java exploit, the first known](http://blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/) Java zero-day in two years. The attacker sends the target a spear phishing email containing a link to a unique URL on the malicious domain (in this case electronicfrontierfoundation.org). When visited, the URL will redirect the user to another unique URL in the form of ``` http://electronicfrontierfoundation.org/url/{6_random_digits}/Go.class containing ``` a Java applet which exploits a vulnerable version of Java. Once the URL is used and the Java ----- payload is received, the URL is disabled and will no longer deliver malware (presumably to make life harder for malware analysts). The attacker, now able to run any code on the user's machine due to the Java exploit, downloads a second payload, which is a binary program to be executed on the target's computer. We were able to recover the following samples of the malicious Java code from electronicfrontierfoundation.org. Filename MD5 Sum SHA1 Sum App.class 0c345969a5974e8b1ec6a5e23b2cf777 95dc765700f5af406883d07f165011d2ff8dd0fb Go.class 25833224c2cb8050b90786d45f29160c df5f038d78f5934bd79d235b4d257bba33e6b3 The decompiled Java for App.class ----- The decompiled Java for App.class The Go.class applet bootstraps and executes App.class, which contains the actual attack code. [The App.class payload exploits the same Java zero-day reported by Trend Micro and then](http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-the-pawn-storm-java-zero-day-old-techniques-reused/) downloads a second stage binary, internally called cormac.mcr, to the user's home directory and renames it to a randomly chosen string ending in `.exe`. Interestingly, App.class contains code to download a *nix compatible second stage binary if necessary, implying that this attack is able to potentially target Mac or Linux users. Unfortunately we weren't able to retrieve the second stage binary, however this is the same path and filename that has been used in other Pawn Storm attacks, which suggests that it is likely to be [the same payload: the malware known as Sednit. On Windows, the Sednit payload is downloaded](http://blog.trendmicro.com/trendlabs-security-intelligence/operation-pawn-storm-the-red-in-sednit/) to the logged-in user's home directory with a randomly generated filename and executed. On running it hooks a variety of services and downloads a DLL file. The DLL file is executed and connects to a command and control server where it appears to verify the target and then execute a keylogger or other modules as may be required by the attacker. Because this attack used the same path names, Java payloads, and Java exploit that have been used in other attacks associated with Pawn Storm, we can conclude that this attack is almost certainly being carried out by the same group responsible for the rest of the Pawn Storm attacks. Other security researchers have linked the Pawn Storm campaign with the original Sednit and Sofacy targeted malware campaigns–also known as “APT 28”–citing the fact that they use the [same custom malware and have similar targets. In a 2014 paper the security company FireEye](http://resources.infosecinstitute.com/apt28-cybercrime-or-state-sponsored-hacking/) [linked the “APT 28” group behind Sednit/Sofacy with the Russian Government (PDF) based on](https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf) technical evidence, technical sophistication, and targets chosen. Drawing from these conclusions, it seems likely that the organization behind the fake-EFF phishing attack also has ties to the Russian government. Past attacks have targeted Russian dissidents and journalists, U.S. Defense Contractors, NATO forces, and White House staff. We do not know who the targets were for this particular attack, but it does not appear that it was EFF staff. ----- The phishing domain has been reported for abuse–though it is still active, and the vulnerability in Java has been patched by Oracle. Of course this is an excellent reminder for everyone to be [vigilant against phishing attacks. Our SSD guide contains advice on how to improve your security,](https://ssd.eff.org/) watch for malicious emails, and avoid phishing attacks such as this one. ## Related Cases [Kidane v. Ethiopia](https://www.eff.org/cases/kidane-v-ethiopia) ## Join EFF Lists ### Join Our Newsletter! Email updates on news, actions, events in your area, and more. Thanks, you're awesome! Please check your email for a confirmation link. Oops something is broken right now, please try again later. ## Related Updates [Deeplinks Blog by](https://www.eff.org/updates?type=blog) [Jillian C. York,](https://www.eff.org/about/staff/jillian-york) [Gennie Gebhart,](https://www.eff.org/about/staff/gennie-gebhart) [Jason Kelley,](https://www.eff.org/about/staff/jason-kelley) [David Greene | April 25, 2022](https://www.eff.org/about/staff/david-greene) ### Twitter Has a New Owner. Here’s What He Should Do. Elon Musk’s purchase of Twitter highlights the risks to human rights and personal safety when any single person has complete control over policies affecting almost 400 million users. And in this case, that person has repeatedly demonstrated that they do not understand the realities of platform policy at scale. ----- [Deeplinks Blog by rainey Reitman | March 29, 2022](https://www.eff.org/updates?type=blog) ### Podcast Episode: Securing the Internet of Things Today almost everything is connected to the internet - from your coffeemaker to your car to your thermostat. But the “Internet of Things” may not be hardwired for security. Window Snyder, computer security expert and author, joins EFF hosts Cindy Cohn and Danny O’Brien as they delve into the scary... [Deeplinks Blog by](https://www.eff.org/updates?type=blog) [Karen Gullo | March 25, 2022](https://www.eff.org/about/staff/karen-gullo) ### Another Tracker Scanning App Highlights the Need for a Better Way to Protect Victims From Digital Stalking First came tracking devices like Tiles and AirTags, marketed as clever, button-sized Bluetoothenabled gizmos that can find your lost backpack. Then, after bad actors started using the devices to stalk or follow people, came scanning apps to help victims find out whether those same gizmos were tracking them.Such is the... ----- [Deeplinks Blog by](https://www.eff.org/updates?type=blog) [Andrés Arrieta | March 9, 2022](https://www.eff.org/about/staff/andres-arrieta) ### Using Your Phone in Times of Crisis [Secure communications are especially important in times of crisis. Just being aware of surveillance](https://www.eff.org/deeplinks/2022/03/telegram-harm-reduction-users-russia-and-ukraine) has [chilling effects in how we exercise speech, which is often under attack by all sorts of actors](https://www.eff.org/deeplinks/2016/05/when-surveillance-chills-speech-new-studies-show-our-rights-free-association) from criminals to our own governments. With war in Ukraine and political crackdowns in Russia, it... [Deeplinks Blog by](https://www.eff.org/updates?type=blog) [Eva Galperin | March 4, 2022](https://www.eff.org/about/staff/eva-galperin) ### Telegram Harm Reduction for Users in Russia and Ukraine Telegram has gained a reputation as the “secure” communications app in the post-Soviet states, but whenever you make choices about your digital security, it’s important to start by asking yourself, “What exactly am I securing? And who am I securing it from?” If you are in Ukraine or Russia, here... ----- [Deeplinks Blog by](https://www.eff.org/updates?type=blog) [Katitza Rodriguez,](https://www.eff.org/about/staff/katitza-rodriguez) [Karen Gullo | March 3, 2022](https://www.eff.org/about/staff/karen-gullo) ### Negotiations Over UN Cybercrime Treaty Under Way in New York, With EFF and Partners Urging Focus on Human Rights While tensions run high across the globe over the invasion of Ukraine, the world’s governments are meeting at the UN this week and next to find common ground on a proposed treaty to facilitate international cooperation and coordination in computer crime investigations. The treaty, if approved, may reshape criminal laws... [Press Release | March 3, 2022](https://www.eff.org/updates?type=press_release) ### Cybersecurity Experts Urge EU Lawmakers to Fix Website Authentication Proposal That Puts Internet Users’ Security and Privacy at Risk SAN FRANCISCO—Electronic Frontier Foundation (EFF) technologists, along with 36 of the world’s top cybersecurity experts, today urged European lawmakers to reject proposed changes to European Union (EU) regulations for securing electronic payments and other online transactions that will dramatically weaken web security and expose internet users to increased risk of... ----- [Deeplinks Blog by](https://www.eff.org/updates?type=blog) [Jason Kelley,](https://www.eff.org/about/staff/jason-kelley) [India McKinney,](https://www.eff.org/about/staff/india-mckinney) [Matthew Guariglia | February 9, 2022](https://www.eff.org/about/staff/dr-matthew-guariglia-0) ### Victory! ID.me to Drop Facial Recognition Requirement for Government Services [First, the Internal Revenue Service reversed course from its](https://www.nytimes.com/2022/02/07/us/politics/irs-idme-facial-recognition.html) [recent announcement that it was](https://www.washingtonpost.com/technology/2022/01/27/irs-face-scans/) partnering with ID.me, a third-party identity verification service, to use facial recognition for verification of users managing many aspects of their taxes online. Now, ID.me—which provides identity verification services for dozens of government agencies—says... [Deeplinks Blog by](https://www.eff.org/updates?type=blog) [Alexis Hancock,](https://www.eff.org/about/staff/alexis-hancock) [Jon Callas | February 9, 2022](https://www.eff.org/about/staff/jon-callas) ### What the Duck? Why an EU Proposal to Require "QWACs" Will Hurt Internet Security It's become easier over the years for websites to improve their security, thanks to tools that allow more people to automate and easily set-up secure measures for web applications and the services [they provide. A proposed amendment to Article 45 in the EU’s Digital Identity Framework...](https://digital-strategy.ec.europa.eu/en/library/trusted-and-secure-european-e-id-regulation) ----- [Deeplinks Blog by](https://www.eff.org/updates?type=blog) [Jason Kelley | February 8, 2022](https://www.eff.org/about/staff/jason-kelley) ### If EARN IT Passes, What Happens On Your iPhone Won't Stay On Your iPhone [Last year, Apple announced a controversial plan to install photo scanning software in every device.](https://www.eff.org/deeplinks/2021/08/apples-plan-think-different-about-encryption-opens-backdoor-your-private-life) Apple has long been seen as a pro-privacy company—billboards emblazoned with the slogan “What happens on your iPhone, stays on your iPhone” were common sights in 2019. A global coalition pushed back, and the... -----