MESSAGEMANIFOLD Malware

Activists and political entities in Taiwan and Tibet have become the target of a new hacker attack, relying on spear-phishing emails to deliver a threatening implant to the targets. The implant in question has been determined to be a previously unknown malware sample that has been given the name MESSAGEMANIFOLD. The spear-phishing emails used to deliver the MESSAGEMANIFOLD Malware usually focus on political topics popular in Taiwan and Tibet, and the file attachments may often use generic names like 'dalailama-Invitations.exe.' The spear-phishing emails did not contain a file attachment necessarily – some of the samples were redirecting recipients to a Google Drive link that prompted them to download a file. It is not uncommon for cybercriminals to abuse legitimate services like Google Drive to make their schemes seem a bit more believable.

Cybercrime activity in these regions has been high for the past couple of years, and it is usually state-sponsored Chinese hackers responsible for the attacks. The MESSAGEMANIFOLD Malware, however, is yet to be attributed to any cybercrime group.

The MESSAGEMANIFOLD Malware is still being studied, and so far, it would appear that it pings the Command and Control server as soon as it is executed. The ping transmits some generic information about the compromised system, but the malware does not collect detailed information. It is likely that the control server is meant to send a response with further instructions, but this behavior has not been observed yet.

The strategically picked targets and the low activity are signs that the authors of the MESSAGEMANIFOLD Malware are very careful about the targets they go after, and they have probably planned out their entire attack. It is highly unlikely that the MESSAGEMANIFOLD Malware will be employed in attacks against regular computer users or networks outside of Taiwan and Tibet.