Surveillance Malware Targets UAE Activist As Exploit Sellers Implicated

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

VUPEN denies its vulnerability was used to target notable UAE activist

A prominent activist from the UAE has been targeted by surveillance malware likely to have been created by an Italian company, with a French exploit seller implicated too, according to researchers.

Ahmed Mansoor, a blogger and part of the UAE Five, a group of Emirati activists who were imprisoned from April to November 2011 on charges of insult, was targeted by surveillance malware, according to Citizen Lab.

Mansoor was sent an email with a malicious attachment, which appeared to be a Microsoft Word file called ‘veryimportant.doc’, but was really an RTF file containing an exploit which allows the execution of code that downloads surveillance malware.

Exploit sellers involved?

The exploit, which causes a buffer overflow in the RTF format to let the malware’s code be written onto a system’s memory, has been linked to the French exploit seller VUPEN.

The malware has been linked to Italian firm Hacking Team, which was implicated in creating a Mac OS Trojan, which was allegedly based on its Da Vinci cyber espionage tool.

“This information indicates that the sample matching ‘veryimportant.doc’ may be a demo copy of the Hacking Team RCS [Remote Control System] backdoor,” the researchers said. They pointed to promotional materials for the backdoor, which claim to offer surveillance on various communications, including email, instant messaging and Skype.

“The same promotional document mentions “Zero-day exploits” as a possible remote infection vector. An additional sample which appears to install HackingTeam RCS was discovered in Virus Total,” the researchers added.

“This sample uses an exploit that has similarities in shellcode with ‘veryimportant.doc’. However, the exploit it uses is newer, the Adobe Flash Player ‘Matrix3D’ Integer Overflow. Searching for the origin of this exploit revealed a public mailing list post taking credit for discovery of this bug stating: ‘This vulnerability was discovered by Nicolas Joly of VUPEN Security’.”

The researchers admitted it was “possible that the exploit used here was not written by VUPEN but was independently discovered and weaponised by another party”.

But they warned “social engineering and commercial surveillance software attacks against activists and dissidents is becoming more commonplace”.

VUPEN has distanced itself from the exploit. “Exploits described by CitizenLab are NOT ours and their allegations are only based on a vulnerability overlap with no real proof, too lame,” a tweet from VUPEN CEO Chaouki Bekrar tweeted.

Like Internet anonymity? Try our Anonymous quiz!