Malware discovered in the Stratfor email file dump, researcher says curated content on the Wikileaks website also infected
Josh Wieder, a researcher was browsing through the Wikileaks dump of the Stratfor leak found that the documents were laced with malware.
Stratfor, a US think tank dealing in security matters, was hacked by Jeremy Hammond in late 2011, who then passed its email archives to WikiLeaks in early 2012. Wikileaks made the dump public like it does with every other leaked document it receives.
Wieder scrubbed through the five million odd emails dump only to find a malware hidden in many of the documents.
Wieder states on his blog that, “The data is indeed massive, over 5.5 million emails. Perhaps so massive that ~ two years was not long enough to properly review and sanitize these files prior to their complete publication in 2014 (from the time they were received by WL sometime around 2012).”
According to Wieder, lot of the malware is smuggled in as VBScript macros, or OLE and PE files. It’s possible there are more infected files lurking in WikiLeaks’ databases of unfiltered data.
One of the internal memo dated February 2011 about Cyrenaica and Tripolitania in the Stratfor leaks triggers malware alarms on VirusTotal because it includes a code-execution exploit for Microsoft Office on Windows and Mac (CVE-2010-3333).
Wieder, who has blogged about his findings here and in more detail here, has made a list of Stratfor emails which contain such malware. The list can be found on the Paste here.
Weider says that he tried to contact the Wikileaks admin but received no response despite his elaborate research regarding malware hidden in the dumps.
Since that time I have made numerous attempts to contact Wikileaks so that they could inform their users that the torrent contained malicious software. After receiving no response, I began to publicize my findings by posting them on Hacker News/Ycombinator and similar sites like Slashdot and Reddit. My post on Hacker News quickly reached the front page and attracted the attention of the former leader of Lulzsec, Hector Monsegur (aka sabu), who confirmed the validity and importance of my findings in a series of public tweets.
Wieder finally says that the malware may not be just limited to the Stratfor dump on Wikileaks and curated content may also contain such kind of malwares.