A targeted phishing campaign against government entities in Persian Gulf and Middle East countries was detected earlier this month. The campaign was using the heightened tension in the region following the killing of Iranian general Qasem Suleimani at a Baghdad airport, and used emails purporting to come from the Ministry of Foreign Affairs of the Kingdom of Bahrain, Saudi Arabia, and the United Arab Emirates.
The campaign was detected and reported by researchers at Blue Hexagon, a firm that uses artificial intelligence (AI) techniques developed to detect malware hidden in images to detect malware hiding in traffic.
The campaign was delivered via a legitimate email marketing provider. The malware payloads were stored on Google Drive, and command and control communication was delivered from Twitter. The use of legitimate public services in malware attacks is a growing trend among attackers. It helps the attack fly under the radar of standard detection, helps to disguise the attackers (there is no domain C&C infrastructure that could overlap with other known attacks), and is easily dismantled and reassembled elsewhere in the event of discovery.
This is not an attack technique that has been associated with Iranian actors in the past, and is part of the reason that Blue Hexagon does not believe the campaign — despite the phishing lure — has any direct link to Iran. “Although attribution is difficult,” Irfan Asrar, head of cyber threat intelligence and operations at Blue Hexagon told SecurityWeek, “we can say with pretty high confidence that this attack is not coming out of Iran. It seems to be an attempt by eastern European actors to use the current situation to gain access to important government institutions, including embassies and government officials.”
The lure is based on the death of Qasem Suleimani and the subsequent tensions throughout the middle east region. The countries targeted can be called regional allies of the U.S.; and are exactly the countries that usually suffer from Iranian ‘revenge’ attacks against the U.S. The document attached to the emails shows images of Suleimani and Iran’s traditional ‘red flag of revenge’. These images and much of the text are blurred. The argument is that ‘you should expect revenge attacks from Iran, you should read this document for information from the ministry, and you need to enable Word functions to do so.’
However, if these functions are enabled, malicious payloads hosted on Google Drive are downloaded, including a backdoor/RAT. “Once enabled,” write the researchers, “a malicious macro embedded in a document that is downloaded will be executed to download an additional executable payload.” One of the downloads is a humorous cartoon involving Mr Bean (again, not something that would be normally be associated with an Iranian attacker) but containing an encrypted backdoor/RAT.
“If the number of payloads being downloaded seems confusing,” continue the researchers, “keep in mind that the more payloads that are dropped/downloaded, the more modular the attack; additionally, this makes analyzing and investigating the attack more complicated.”
The malicious code employed has some overlaps with known malware, but not enough to specify the malware or its authors.
Despite Blue Hexagon’s belief that Iran is not involved with the attack, it is worth noting that motivation for the campaign is difficult. The exclusion of Qatar from the targeted countries hints at a political motivation, and Iran is well known for using proxies — both physical and cyber — rather than direct involvement. Nevertheless, using proxies from Eastern Europe would be new and unusual.
Be that as it may, the attacks most likely came out of eastern Europe and were undertaken by a sophisticated group. “Definitely, these guys have experience,” Asrar told SecurityWeek. “They’ve done this before, given the quick turnaround. We believe the attacks started just after the first week of January (Soleimani was killed January 2, 2020). Around 14 January we started notifying the people who were impacted; but within days we began to see parts of the infrastructure being dismantled. It seems they wanted to get in, get information, and pull out. That alone implies that these people have done this before.”
But that’s the nature of this type of attack. Once the methodology is established, it can be taken down, moved, and put together in a new campaign very rapidly.