Continued Activity targeting the Middle East
This blog will discuss and uncover additional details regarding a recent campaign targeting entities in the Middle East.
On Tuesday September 26, 2017 MalwareBytes blogged about a phishing campaign targeting the Middle East, more specifically Saudi Arabia.
I started by trying to find the sample that the blog post analyzed and I was able to find it submitted to the great sandboxing site of Hybrid Analysis (Big Shutout to @PayloadSecurity for the great service).
The file (b0a365d0648612dfc33d88183ff7b0f0) was named GSB[.]doc which is short for (Government Service Bus) or in Arabic (قناة التكامل الحكومية) as seen below
|The lure document perpetrating to be from GSB or تكامل|
Looking at the Macro code within the document, I was able to find that the code doesn't only try to get additional scripts from pastebin but also try to reach to filebin site as well to fetch the same file as shown below after doing some cleanup on the code
Moving on, I wanted to try and see if I can find additional samples based on the macro code that was embedded within this sample and I started by looking at the PowerShell file name which was mentioned in the MalwareBytes blog: NTSTATS[.]ps1
Doing some quick research, I was able to find this Tweet from September 18, 2016 by @ReaQta which was discussing another sample making use of the same PowerShell script however this time the code was trying to reach a Github instance to fetch the script. However, no mention of the lure sample.
Using the awesome feature within Hybrid Analysis that allows you to see if a certain sample was seen before, I was able to find this (0873ddb4df8320b493a719bdddd7d182) this time the lure document had an Iraqi flavor to it with the content referencing in Arabic the Iraqi National Intelligence System as shown below:
From this, I wanted to see how deep the rabbit hole goes and what else is out there so I started looking at the PowerShell "NTSTATS[.]ps1" script more in depth and I was able to find similarities with another PowerShell "Updater[.]ps1" script that was mentioned back in March of this year in an analysis done by Morphisec. As a matter of fact once you deobfuscate both scripts they can look something like this
|NTSTAT vs Updater|
It is worth mentioning that there are a lot of similarities between this campaign and the one described by Morphisec and even when it comes to C&C communication and the use of Base64 encoded commands.
I want to be clear though by saying that I am not trying to say that they are same actor, but they definitely have many similarities.
Analyzing the Macro code, the C&C and scripts allowed me to find additional samples that I am including in the IoC section at the end. Most of these samples are available via multiple sources including VT, Hybrid Analysis, pastebin and Twitter and most of them have themes focusing on the Middle East region.
I also created a very simple YARA rule - included at the end of this blog - and I was able to collect additional and newer samples like this one that was uploaded to VT today. The actors seems to have modified their Macro code and even their PowerShell Script as shown below
I was able to find a reference of this script posted to Pastebin as early as September 23, 2017
They are also now using a modified Base64 encoded C&C communication below and to a new IP 148.251.204[.]131:8060
In closing, I want to highlight that this campaign has been active since July based on samples that I came across on the platforms I mentioned above and seem to be continuing as of the writing of this blog. Interestingly, with this one, there hasn't been a final payload dropped on the victim machines as of yet. The scripts as described by the blogs I referenced are mainly collecting information about the targets and profiling them.
Some honorable mentions that I would like to highlight that in directly helped with this since they always post interesting stuff and I was able to use their posts to pivot to other samples
Known PowerShell File Names:
author = "@MoBustami"
date = "2017-10-01"
$s0 = "sdjNEqLClKPFAnuDvIyGTSgaMWRQYhrzXekcxifZ"