This blog describes an attack that takes advantage of heightened tensions in the Middle East to target numerous targets. This is Part II of attacks targeting the Middle East; Part 1 was on the Dustman malware.
Here’s a quick overview of the unique aspects of this attack, the detailed analysis is below:
- A targeted phishing campaign was initiated, but instead of general malspam tactics, attackers sent infected payloads via a legitimate email marketing provider to targets in the Persian Gulf and the Middle East. Most enterprises have a blacklist of URLs/domains that they block email from. Using a known vendor would likely bypass existing email security tools.
- The malware being distributed was a malicious attachment:
- a document purporting to be official correspondence from the Ministry of Foreign Affairs Bahrain, Saudia Arabia and the UAE respectively.
- The document is themed around the death of Qasem Suleimani and asking users to open the doc.
- The emails/docs seem to be capitalizing on the Iranian news, but we believe the attackers have no direct connection to Iran.
Our investigation into this case began over a week ago. We identified a targeted phishing campaign abusing a legitimate email marketing service as a way to fly under the radar of spam filters. Most email marketing services allow you to upload attachments to be sent as part of an email campaign. In this case, the malicious documents were uploaded and hosted on the site of the marketing service itself. We have since notified the email marketing service, but it appears most providers are prepared for dealing/handling spam abuse rather than their services being used for malicious targeted attacks.
Under the guise of official communications from the Ministry of Foreign Affairs of the Kingdom of Bahrain (البحرين), Saudia Arabia (ٱلْمَمْلَكَة ٱلْعَرَبِيَّة ٱلسَّعُوْدِيَّة) and the United Arab Emirates (الإمارات العربية المتحدة) respectively, the campaign was themed to recent events involving Qasem Soleimani.
One thing is very clear, every single aspect of this attack was carefully thought out. It’s no surprise that the attackers picked the United Arab Emirates, Saudia Arabia, Bahrain as part of the ruse. These three Kingdoms in the GCC, have strong clout in the region and are regarded as political influencers. Notably absent from the regions that were targeted was the State of Qatar دولة قطر which has broken official ties with neighboring countries in the GCC.
The attachment arrives as a document that is partly blurred, asking the victim to enable additional actions with the false notation that the content will be more visible.
Once enabled, a malicious macro embedded in a document that is downloaded will be executed to download an additional executable payload. If the numerous number of payloads being downloaded seems confusing, keep in mind that the more payloads that are dropped/downloaded, the more modular the attack; additionally this makes analyzing and investigating the attack more complicated.
The attack incorporated the use of steganography to hide malicious payloads in plain sight. Multiple images were used to facilitate additional phases of the attack by enclosing an encrypted executable.
Usage of Legitimate Services In C2/Exfiltration
The campaign involved several stages, from the initial phishing email to the final payload that was intended to carry out surveillance/intelligence gathering on the infected machine. The important point to note here is the abuse of legitimate services such as Google Drive, Twitter, ImgBB as a part of the command and control and data exfiltration mechanism. Google Drive was used to store the malicious payloads to be downloaded, while the malware was communicating to Twitter for specific commands such as “take a screenshot and upload.” Any data was uploaded to third party image hosting site ImgBB.
The use of Twitter, Google Drive, ImgBB as a part of the delivery/command and control infrastructure was a brilliant tactic for several reasons. Using legitimate services is an obvious way to get around firewalls. The countries that were targeted all observe restricted internet access but allowed the use of these services.
Despite the fact that the theme that was used in the phishing campaign was related to Iran, from the analysis of the samples/artifacts involved, we don’t believe that the people behind this attack have direct ties to Iran. but are using the heightened state of security in the region as a tactic to ensure the success of the attack.
Special Thanks to Rohit Kashibatla for his contribution to the blog.