TOP SECRET//SI//ORCON/REL TO USA, FVEY/FISA
run an unknown payload from malicious infrastructure located at a U. S. IP address on port 8080, probably running Microsoft-IIS/7.5 Server. (COMMENT: The unknown very likely installs a second payload which can then be used to establish access or survey the victim for items of interest to the threat actors.) The request used a user-agent string of "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko". Lastly, the malicious Microsoft Word documents hashed to the following values:
- MD5 Hash: 5617e7ffa923de3a3dc9822c3b01a1fd,
- SHA-1 Hash: 602aa899a6fadeb6f461112f3c51439a36ccba40, and
- SHA-256 Hash: f489929f2de895425bdae2d5b232a726d66b9b2827d1a9ffc75d1ea37a7cf6c.
Operational Accounts Spoofing Legitimate Elections-Related Services (S//REL TO USA, FVEY)
Spoofing E-mail Address Associated With U. S. Company 2 (U//FOUO)
(TS//SI//OC/REL TO USA, FVEY/FISA) In parallel to the aforementioned campaign, the cyber threat actors created another new operational e-mail account elevationsystem@outlook.com on 19 October 2016. They then used this e-mail address to send a test message to another known operation e-mail account. In that test e-mail, which was written in the English, the threat actors spoofed U. S. Company 2, and offered election-related products and services. All e-mails associated with this account were later deleted, and it was unknown if there was any targeting using this e-mail account. (COMMENT: Given that the e-mail body was written in the English and prepared less than one month before the 2016 U. S. Presidential election, it was likely intended for U. S.-based targets.)
Spoofing Absentee Ballot E-mail Addresses (U//FOUO)
(TS//SI//OC/REL TO USA, FVEY/FISA) Additionally, the cyber threat actors sent what appeared to be a test e-mail to two other accounts, requestabsentee@americansamoaelectionoffice.org and rquestabsentee@americansamoaelectionoffice.org. In both cases the actors received a response from the mail server on 18 October stating that the message failed to send, indicating that the two accounts did not exist.
(TS//SI//REL TO USA, FVEY) COMMENT: Given that the test e-mail did not contain any malicious links or attachments, it appeared that threat actor’s intent was to create the e-mail accounts rather than compromise them, presumably with the purpose of mimicking a legitimate absentee ballot-related service provider.
TOP SECRET//SI//ORCON/REL TO USA, FVEY/FISA
