Blue Hexagon Blog

New Targeted Attack Campaign in the Middle East

This blog describes an attack that takes advantage of heightened tensions in the Middle East to target numerous targets. This is Part II of attacks targeting the Middle East; Part 1 was on the Dustman malware.

Here’s a quick overview of the unique aspects of this attack, the detailed analysis is below: 

  • A targeted phishing campaign was initiated, but instead of general malspam tactics, attackers sent infected payloads via a legitimate email marketing provider to targets in the Persian Gulf and the Middle East. Most enterprises have a blacklist of URLs/domains that they block email from. Using a known vendor would likely bypass existing email security tools.
  • The malware being distributed was a malicious attachment:
    • a document purporting to be official correspondence from the Ministry of Foreign Affairs Bahrain, Saudia Arabia and the UAE respectively. 
    • The document is themed around the death of Qasem Suleimani and asking users to open the doc.
  • The emails/docs seem to be capitalizing on the Iranian news, but we believe the attackers have no direct connection to Iran. 
Overview of targeted attacks in phases
Figure 1: Overview of Attacks in Phases

Detailed Analysis

Our investigation into this case began over a week ago. We identified a targeted phishing campaign abusing a legitimate email marketing service as a way to fly under the radar of spam filters. Most email marketing services allow you to upload attachments to be sent as part of an email campaign. In this case, the malicious documents were uploaded and hosted on the site of the marketing service itself. We have since notified the email marketing service, but it appears most providers are prepared for dealing/handling spam abuse rather than their services being used for malicious targeted attacks. 

Under the guise of official communications from the Ministry of Foreign Affairs of the Kingdom of Bahrain (البحرين‎), Saudia Arabia (ٱلْمَمْلَكَة ٱلْعَرَبِيَّة ٱلسَّعُوْدِيَّة) and the United Arab Emirates (الإمارات العربية المتحدة‎) respectively, the campaign was themed to recent events involving Qasem Soleimani.

One thing is very clear, every single aspect of this attack was carefully thought out. It’s no surprise that the attackers picked the United Arab Emirates, Saudia Arabia, Bahrain as part of the ruse. These three Kingdoms in the GCC, have strong clout in the region and are regarded as political influencers. Notably absent from the regions that were targeted was the State of Qatar دولة قطر  which has broken official ties with neighboring countries in the GCC.  

Bahrain document with APT
Figure 3: Bahrain document with APT
UAE document with APT
Figure 4: UAE Document with APT

Technical Details 

The attachment arrives as a document that is partly blurred, asking the victim to enable additional actions with the false notation that the content will be more visible. 

Multi-stage payload
Figure 5: Multi-stage payload

Once enabled, a malicious macro embedded in a document that is downloaded will be executed to download an additional executable payload. If the numerous number of payloads being downloaded seems confusing, keep in mind that the more payloads that are dropped/downloaded, the more modular the attack; additionally this makes analyzing and investigating the attack more complicated.

Steganography  

hxxxs://doc-00-a8-docs.googleusercontent.com/docs/securesc/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX?e=download

The attack incorporated the use of steganography to hide malicious payloads in plain sight. Multiple images were used to facilitate additional phases of the attack by enclosing an encrypted executable. 

encrypted executable
Figure 6: Image decryption routine

Usage of Legitimate Services In C2/Exfiltration

The campaign involved several stages, from the initial phishing email to the final payload that was intended to carry out surveillance/intelligence gathering on the infected machine. The important point to note here is the abuse of legitimate services such as Google Drive, Twitter, ImgBB as a part of the command and control and data exfiltration mechanism. Google Drive was used to store the malicious payloads to be downloaded, while the malware was communicating to Twitter for specific commands such as “take a screenshot and upload.” Any data was uploaded to third party image hosting site ImgBB.

command and control code
Figure 7: Part of the Command and Control Code

The use of Twitter, Google Drive, ImgBB as a part of the delivery/command and control infrastructure was a brilliant tactic for several reasons. Using legitimate services is an obvious way to get around firewalls. The countries that were targeted all observe restricted internet access but allowed the use of these services.

Conclusion 

Despite the fact that the theme that was used in the phishing campaign was related to Iran, from the analysis of the samples/artifacts involved, we don’t believe that the people behind this attack have direct ties to Iran. but are using the heightened state of security in the region as a tactic to ensure the success of the attack. 

Special Thanks to Rohit Kashibatla for his contribution to the blog.

IoC
Ffead7ed9678cadc458a1b2bc66ecc32f552249e3e4cf561556449fe853689e6
26f6b55da42abbfa416154c32fd2ed5371fa094618473da303537dac8f6866c4
676f41fb7c7a0dec1f9556beb6e196b429a665ffb3a0d24050edadd165614942