Showing posts from 2017

Continued Activity targeting the Middle East - PART 2

Update 2017-11-15 : Palo Alto's Unit42 released a blog  with additional details about the same activity and they are dubbing the group behind this as "MuddyWater". INTRODUCTION In an earlier blog post , I wrote about a campaign that was targeting the Middle East (Saudi Arabia, Iraq, UAE, etc). The adversary group behind this campaign seem to have been continuing its activity and advancing its techniques. In this blog I will be sharing some additional details about this adversary group and how they are continuing to evolve. They are still using MS Word documents as lures with embedded Macros and PowerShell scripts however, they have been increasing their obfuscation techniques to make detection harder. PART 1 - PANDA WAS HERE. In my previous blog, I mentioned a sample "dollar.doc" MD5  a86249a392b394c803ddbd5bbaa0b4bb . While analyzing the sample and looking at some of the strings, one string was interesting " panda was here :) " Using this st

Knock Knock Knocking on EhDoor (The Curious Case of an EPS file)

INTRODUCTION This all started with the great analysis and blog done by RSA in August 2017 about a phishing wave targeting Russian Banks. This was followed by another great blog by McAfee on the same subject but my focus will be on a specific aspect mentioned in the RSA blog which is the exploit used. “FireEye discovered a malicious docx exploiting a zero day vulnerability in Microsoft’s Encapsulated Postscript (EPS) filter, in the summer of 2015. This EPS exploit was assigned CVE-2015-2545. In March 2017, FireEye observed both nation state and financially motivated actors using EPS zero day exploits assigned as CVE-2017-0261 and CVE-2017-0262, prior to Microsoft disabling EPS rendering in its Office products with an update in April 2017.” PART 1 - ADDITIONAL SAMPLE RELATED TO THE PHISHING CAMPAIGN. One thing I took from the analysis done on the samples from the RSA blog was the name of the EPS file which was “image1.eps”. If you take that and search it, one of the results ha

Continued Activity targeting the Middle East

This blog will discuss and uncover additional details regarding a recent campaign targeting entities in the Middle East. On Tuesday September 26, 2017 MalwareBytes blogged about a phishing campaign targeting the Middle East, more specifically Saudi Arabia. I started by trying to find the sample that the blog post analyzed and I was able to find it submitted to the great sandboxing site of Hybrid Analysis (Big Shutout to @PayloadSecurity for the great service). The file ( b0a365d0648612dfc33d88183ff7b0f0 ) was named GSB[.]doc which is short for (Government Service Bus) or in Arabic (قناة التكامل الحكومية) as seen below The lure document perpetrating to be from GSB or تكامل Looking at the Macro code within the document, I was able to find that the code doesn't only try to get additional scripts from pastebin but also try to reach to filebin site as well to fetch the same file as shown below after doing some cleanup on the code Moving on, I wanted to try an