Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Actor Targeting Middle East Shows Excellent OPSEC

An actor making extensive use of scripting languages in attacks on targets in the Middle East demonstrates excellent operational security (OPSEC), researchers from Talos say. 

An actor making extensive use of scripting languages in attacks on targets in the Middle East demonstrates excellent operational security (OPSEC), researchers from Talos say. 

As part of these targeted attacks allegedly confidential decoy documents supposedly written by the Jordanian publishing and research house Dar El-Jaleel were used, as well as VBScript, PowerShell, and VBA scripts that would dynamically load and execute functions retrieved from a command and control (C&C) server.

The threat actor(s) was particularly careful to camouflage the infrastructure and used several reconnaissance scripts to check the validity of victim machines. The actor was observed blocking systems that didn’t meet their criteria, filtering connections based on their User-Agent strings, and hosting the infrastructure on CloudFlare. 

Attacks start with a VBScript designed to create a second stage PowerShell script that would create a Microsoft Office document and to open it. The document was purportedly written by Dar El-Jaleel, an institute well-known for their research of the Palestinian-Israeli conflict and the Sunni-Shia conflict in Iran. 

Supposedly a confidential analysis report on Iranian activities within the Syrian civil war, the document contains a macro designed to create a WSF (Windows Script File) file and to execute it. The WSF script, Talos discovered, is the main part of the infection and contains a User-Agent used to identify the targets.

The script first registers the infected system with a command and control server and executes an infinite loop, trying to contact the /search URI every 5 seconds to download and execute payloads.

These payloads are of three types, but all are VBScript functions loaded and executed on the fly using the ExecuteGlobal() and GetRef() APIs, differentiated by the number of arguments supplied: none, one, or two. The security researchers received five different functions, all obfuscated. 

A reconnaissance function was received a few minutes after the initial compromise, meant to retrieve information from the infected system: disk volume serial number, installed anti-virus software, Internet IP address, computer name, username, Operating System, and architecture. All data is sent to the C&C. A second reconnaissance function was used to list the drives of the system and their type. 

Advertisement. Scroll to continue reading.

Two functions meant to achieve persistence for the WSF script were received as well: one script was used to persist, while the second was meant to clean the infected system. 

The system also received a pivot function, which was meant to execute a PowerShell script. In turn, the script would execute a second base64 encoded script. 

One last PowerShell script served to the system was meant to download shellcode from 176[.]107[.]185[.]246 IP, map it in memory, and execute it. While the shellcode wasn’t retrieved during investigation, the process revealed the many precautions the attacker takes before delivering the payload. 

The attacker’s C&C is protected by CloudFlare, which makes it difficult to track and analyze the campaign. The researchers noticed that the actor was active during the morning (Central European Time zone), and that payloads were only sent during that time. 

Furthermore, the attacker’s server becomes unreachable after serving the shellcode (the firewall is disabled for a few minutes to allow the download to go through). The actor was also observed blacklisting some of the researchers’ specific User-Agent strings and IP addresses.

“This high level of OPSEC is exceptional even among presumed state sponsored threat actors,” Talos notes. 

The VBScript used during this campaign shows similarities to Jenxcus (also known as Houdini/H-Worm), but the researchers are not sure whether the actor used “new version of Jenxcus or if this malware served as the inspiration for their own malicious code.”

While Jenxcus’ source code is available on the Internet, the adaptation observed in these attacks is more advanced, with the functions loaded on demand and the initial script including only parts of the code, not all of it. 

The security researchers were also able to identify different targets based on the User-Agent and say that targeted campaigns using Dar El-Jaleel decoy documents were observed before. In fact, the same decoy documents were observed in several attacks in 2017, but it is not clear if the same actor is behind all of them. 

“These campaigns show us that at least one threat actor is interested in and targeting the Middle East. Due to the nature of the decoy documents, we can conclude that the intended targets have an interest in the geopolitical context of the region,” Talos notes. 

Related: Middle East ‘MuddyWater’ Attacks Difficult to Clear Up

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.