New targeted attack against Saudi Arabia Government

Credit to Author: Malwarebytes Labs| Date: Thu, 23 Mar 2017 22:26:26 +0000

A new spear phishing campaign is targeting Saudi Arabia governmental organizations. The attack originates from a phishing email containing a Word document in Arabic language. If the victim opens it up, it will not only infect their system but send the same phishing document to other contacts via their Outlook inbox.

We know that at least about a dozen Saudi agencies were targeted. As with most email-borne attacks, this one leverages social engineering to execute malicious code via a Macro.

Document overview:

Macro might run executable  Contains obfuscated macro code  Loads DLL into its own memory  Runs dropped executable  Macro might read system main characteristics  Runs existing executable  Macro might overwrite file  Access Windows sensitive data: Windows Address Book  Suspicious delay  Starts macro code when document is opened  Searches inside certificate store database  Gathers system main data (MachineGuid, ComputerName, SystemBiosVersion ...)  Check user main folders path  Access Windows sensitive data: Windows Profiles information  Contains macro  Contains macro with create file functionalities  Drops .EXE file  Drops .DLL file  Access Windows sensitive data: certificates

A quick analysis with oletools shows us the sections within the macro:

The payload is embedded in the macro as Base64 code. It uses the certutil program to decode the Base64 into a PE file which is then executed:

Binary overview:

Searches inside certificate store database  Loads DLL into its own memory  Gathers system main data (MachineGuid, ComputerName, SystemBiosVersion ...)  Access Windows sensitive data: Windows Profiles information  Access Windows sensitive data: Windows Address Book  Drops .DLL file  Drops .EXE file  Access Windows sensitive data: certificates

Let’s take a look at the dropped binary itself. It is coded in .NET and not obfuscated. Here’s the encrypted payload:

Decrypting it we can see the main payload (neuro_client.exe renamed to Firefox-x86-ui.exe here) and two helper DLLs: 

It sets persistence for auto-relaunch via the Task Scheduler:

The purpose of this piece of malware appears to be stealing information and uploading it to a remote server:

According to reports from sources, Malwarebytes Anti-Exploit blocked the targeted attack proactively without the use of signature updates thanks to its Application Behavior protection layer for all consumer and corporate users of Malwarebytes. Malwarebytes Anti-Malware also detects and remediates the threat completely.

We will continue to analyze this threat and update the post at a later time with more information.

IOCs:

Word dropper:

MD5: 3cd5fa46507657f723719b7809d2d1f9  SHA256: a6dbc36c472b3ba70a98efd0db35e75c340086be15d3c3ab4e39033604d0bcf9

Binary payload:

MD5: 4ed42233962a89deaa89fd7b989db081  SHA256: a96c57c35df18ac20d83b08a88e502071bd0033add0914b951adbd1639b0b873

Payload names:

C:ProgramData**-x86-ui.exe with * being one of these:    firefox|chrome|opera|abby|mozilla|google|hewlet|epson|xerox|ricoh|adobe|corel|java|nvidia|realtek|oracle|winrar|7zip|vmware|juniper|kaspersky|mcafee|symantec|yahoo|goog

Network communications:

mail.spa.gov.sa/ews/exchange/exchange.asmx  webmail.ecra/ews/exchange/exchange.asmx
62.149.118.67  85.194.112.9

The post New targeted attack against Saudi Arabia Government appeared first on Malwarebytes Labs.

https://blog.malwarebytes.com/feed/