Malware is usually loaded with brilliant code, but then again, sometimes it is not.
The experts in France came across a malicious element in an email sent to Areva — a French multinational industrial conglomerate known for its interest in nuclear power and other energy projects.
The email analyzed by researchers came with an executable that extracted a number of family photographs, and iTunes file and a PDF file. While the images were likely stolen from the computer of an unwitting user, the PDF actually contained a scanned printout of an internal email from Areva-NC in Normandie.
The information it contained wasn’t of major importance, but it clearly showed Areva wasn’t a random target.
The malware itself is actually the Dark Comet Remote Administration Tool, the one used in numerous malicious campaigns.
The interesting thing is the attack can’t cause any damage to devices because the application does not have the proper configuration.
Snorre Fagerland, principal security researcher in the Malware Detection Team (MDT) at Norman, said the Trojan just installed, but it never executed. Furthermore, it’s not properly configured, the overall file is very large (around 30 MB), and the iTunes file is empty and doesn’t contain any malicious code.
Fagerland said there are three possible scenarios: The attack is real but it doesn’t work because they misconfigured the Trojan, it may only be a test build, or it simply is there to confuse researchers.
“There is another theory, which I have to consider but don’t know whether to laugh or cry over: It is possible that the attacker has by accident included not only his ‘attack files’ — the AREVA PDF and the failed DarkComet – but somehow managed to include other files. Like for example a whole folder. Which may have contained his own family pictures,” he said.