The Valdoria Times Post-Incident Report

On January 22, 2024, The Valdorian Times published an unapproved article that made defamatory statements about a candidate in the Valdoria mayoral race. While the newspaper was planning to publish an OpEd on both candidates the morning of the election, the article that was published did not match the article that had been approved by the editor for publication.

The Newspaper Printer for The Valdorian Times, Clark Kent, reported that he printed the article that he received via email on the evening of January 21, 2024. This email was sent from ronnie_mclovin@valdoriantimes.news with the subject line URGENT: Final OpEd Draft Edits (Please publish the following article in tomorrow's paper)). The email contained a link to the draft of the article, titled OpEdFinal_to_print.docx. While Ronnie McLovin was responsible for making final edits to the article, she fell asleep early on January 21, 2024 and failed to send the final draft of the approved article. As a result, The Valdorian Times staff believed the fraudulent article was sent to the printer by an unauthorized entity.

Sonia Gose, a Valdorian Times IT Specialist reported that, on January 10, 2024, he received a suspicious email from newspaper_jobs@gmail.com. The user clicked a link from this phishing email, which directed the user to hire-recruit.com. This resulted in the download of a malicious file Valdorian_Times_Editorial_Offer_Letter.docx. On 2024-01-10, this document file was opened, after which it dropped a malicious PowerShell script, hacktivist_manifesto.ps1. This script then created a scheduled task, downloaded plink, and initiated a connection to attacker-controlled IP 205.129.146.36.

Following this, the attacker used the established plink tunnel to run system discovery commands on the compromised system. No further post-compromise activity was detected on this system.

In total, newspaper_jobs@gmail.com was used to target 6 users at The Valdorian Times. Ronnie McLovin, The Valdorian Times’ Editorial Intern, was also targeted in this phishing campaign on 2024-01-10. The phishing email sent to Ronnie McLovin contained a link to hire-recruit.com, which directed the user to download a malicious document Valdorian_Times_Editorial_Offer_Letter.docx. In similar fashion to the activity observed on Sonia Gose’s machine, the document file dropped hacktivist_manifesto.ps1, which led to deployment of plink on the compromised device. This gave the attackers hands-on-keyboard access to Ronnie McLovin’s device.

After gaining hands-on-keyboard access to Ronnie’s device, the attackers downloaded fakestory.docx from domain hire-recruit.com. The attackers then renamed this file to OpEdFinal_to_print.docx. Less than 1 hour after the file was downloaded and renamed, it was emailed to Clark Kent with the subject line URGENT: Final OpEd Draft Edits (Please publish the following article in tomorrow's paper)). This file contained the falsified story that was ultimately printed defaming the mayoral candidate.

Shortly after sending the falsified story, the attackers also exfiltrated data from Ronnie McLovin’s machine, including documents, desktop contents, and dank memes. These files were compressed in a 7zip archive and then uploaded to a custom portal at hirerecruit.com.