Malaysia's 2013 general elections are scheduled for Sunday, May 5, 2013. Political news coverage is currently inundating all news outlets, including social networking sites, as the country's political parties go into high gear in the final run-up to polling day.
The huge media interest creates an opportunity for malware writers to gain new victims using established social engineering techniques — and sure enough, this week Citizen Lab released a report indicating that a sample of the sophisticated FinFisher (a.k.a. FinSpy) surveillance malware was discovered in a document crafted specifically for this event.
The malware was distributed in a booby-trapped Malay-language Microsoft Word document named "SENARAI CADANGAN CALON PRU KE-13 MENGIKUT NEGERI.doc" (In English: "List of proposed candidates for 13th General Elections according to states").
The report speculates that the attack document is targeting Malaysians looking for more information related to one of the most closely contested elections in the country's history. F-Secure detects the document in question as Trojan:W32/FinSpy.D.
Finfisher is produced by an European company called the Gamma Group. As we mentioned in a previous post, the company was present at the ISS World 2011 gathering hosted in Kuala Lumpur, Malaysia. The ISS event serves as a trade fair for surveillance software (attendance is by "invitation" or if you are a "telco service provider, government employees or law enforcement officer").
Additionally, there have been reports alleging that multiple news and social media sites, including YouTube, Facebook, and Malaysiakini (a popular Malaysian online news site) have been subjected to various forms of disruption, including defacements, denial of service attacks, and filtering.
F-Secure Labs is observing the situation. We saw a rise in malware detections during April 2013 in Malaysia. However, we don't really know if the increase was due to election-related activity or something else.