Urgent Security Alert for Bahraini Activists

We have identified a very recent targeted digital attack on members of Al-Wefaq political society living outside of Bahrain. So far four cases have been identified.

**What does the attack look like?

Targets have received emails that contains malicious spyware. The emails look like the following:

Email 1:

From: [email protected]
Subject: معلومات هامه بالرجاء اطلاعكم

المعلومات مؤكده ومن مصادر رفيعه بتاريخ 29-9-2015
بما يخص اليمن , السعوديه , والجمهوريه الاسلاميه والبحرين

The email contains two attachments:


Email 2:

From: [email protected] with
Subject: بريدك الالكتروني على وشك الاغلاق التام

لمزيد من اجراءات الامان التي تتخذها شركة غوغل لحماية مستخدميها اصبح من الضروري فرض قيود لتفعيل حساباتهم بشكل مستمر وذلك لتفادي اي عمليات اغلاق لحسابك قد تسبب فقدانك لسيطرتك على بريدك هذا لذا ومن باب الامان لمستخدمينا نرجو وبفترة لا تتجاوز 24 ساعة من وصولك اشعار بهذه الرسالة تفعيل بريدك الالكتروني.
يرجى زيارة تفعيل حسابك, لتفادي مشكلة ايقاف الحساب.

Then the email contains a url link, when you click it, will take you to another page similar to a Google page asking you to input your username and password.

What does this spyware do?

The .gz files in the attachment contain a .vbs file. Which downloads a bait document and another .vbs file from a file hosting site. When the spy program self-executes, it reports back some system information: OS version, PC name, which antivirus you have, and it can accept additional spyware.
This allows the hacker to infect you based on the information it posts back.
The hackers Skype ID is iman.jard.
And the servers used for this attack appear to be based in Palestine.

If you believe you have been targeted please do the following:
1. Do not open the file, or click on the link
2. Forward the emails [email protected] with the full header
As part of BahrainWatch amd Hivos International’s AmanaTech Project, we monitor and investigate ongoing digital security risks to Bahraini civil society groups. Do not hesitate to contact us for advise.