Posts

Showing posts from November, 2017

Continued Activity targeting the Middle East - PART 2

Image
Update 2017-11-15: Palo Alto's Unit42 released a blog with additional details about the same activity and they are dubbing the group behind this as "MuddyWater". INTRODUCTIONIn an earlier blog post, I wrote about a campaign that was targeting the Middle East (Saudi Arabia, Iraq, UAE, etc). The adversary group behind this campaign seem to have been continuing its activity and advancing its techniques.
In this blog I will be sharing some additional details about this adversary group and how they are continuing to evolve. They are still using MS Word documents as lures with embedded Macros and PowerShell scripts however, they have been increasing their obfuscation techniques to make detection harder.
PART 1 - PANDA WAS HERE.In my previous blog, I mentioned a sample "dollar.doc" MD5 a86249a392b394c803ddbd5bbaa0b4bb. While analyzing the sample and looking at some of the strings, one string was interesting "panda was here :)"
Using this string to look for addit…