Threats Feed

The article "The Curious Case of Mia Ash" by SecureWorks details a sophisticated cyber espionage campaign. This campaign involved a fake online persona named Mia Ash, created by the threat group COBALT GYPSY, which is associated with Iranian cyber operations. Mia Ash was used to establish relationships with employees in targeted organizations, primarily in the Middle East and North Africa. The persona, active across various social media platforms, was instrumental in delivering malware through seemingly innocent interactions. The case underlines the increasing complexity of cyber threats where social engineering and fake identities are employed to breach security systems.

Between April 19-24, 2017, several Israeli organizations, including high-tech development companies, medical entities, and educational institutions were targeted by a politically motivated campaign attributed to the Iranian hacker group responsible for the OilRig malware campaigns. The fileless attack was delivered through compromised email accounts at Ben-Gurion University using Microsoft Word documents exploiting the CVE-2017-0199 vulnerability. The Helminth Trojan was installed as a result, bearing a striking similarity to the OilRig campaign conducted against Middle Eastern financial institutions the previous year. The threat actors exploited the gap between patch release and rollout, with active C&C servers still operational at the time of report publication.

The Iranian threat agent CopyKittens compromised multiple Israeli websites, including the Jerusalem Post, and one Palestinian Authority website between October 2016 and January 2017. The attackers bought access to the server to gain the access, inserting a single line of Javascript into existing libraries. This enabled them to load further malicious Javascript from a domain they controlled, selectively targeting users based on their IP addresses. The malicious payload used was the BeEF Browser Exploitation Framework.

CopyKitten, a known cyber-attack group, has launched a spearphishing campaign targeting the Israeli government’s Ministry of Communications. The investigation commenced with the identification of a suspicious domain that led to multiple related domains. One such domain closely mimicked the Israeli Prime Minister's SSL VPN login page and was used to drop a malicious Word document titled "Annual Survey.docx." This document had an embedded OLE object that communicated with a C2 server, signifying a well-planned attack. The campaign appears to be part of CopyKitten's ongoing activities against Israeli interests.

Beginning in late 2016, Shamoon 2.0 and the newly discovered StoneDrill malware launched destructive wiper attacks against critical and economic sectors in Saudi Arabia, with evidence of StoneDrill reaching European targets. Shamoon 2.0, a successor to the 2012 Saudi Aramco attack tool, incorporated stolen administrator credentials, automated worm-like spreading, disk wiping, and even inactive ransomware capabilities. StoneDrill introduced advanced sandbox evasion, injected its payload into browsers, and targeted accessible files or full disks. Both malware families used obfuscation, anti-analysis tricks, and in Shamoon’s case, signed drivers for low-level destruction. StoneDrill shared code similarities with the NewsBeef (aka Charming Kitten) APT, suggesting broader regional targeting and actor overlap.

The BlackBerry Cylance threat research team's report offers a comprehensive analysis of the Disttrack malware, also known as Shamoon, renowned for its devastating attacks on system master boot records. The report traces the malware's history, its resurgence, and explores its technical operations, including network management capabilities and modular architecture. It particularly highlights Disttrack's impact on Saudi Arabia's critical infrastructure, demonstrating its potential for significant damage. This abstract succinctly captures the essence of the malware's threat and operational dynamics for a general audience.

The report details the Magic Hound cyber campaign targeting primarily Saudi Arabia. The campaign leveraged spearphishing emails with malicious attachments and links, PowerShell scripts, Windows Command Shell, and obfuscation techniques like XOR and Base64 encoding. Additionally, the attackers utilized HTTP and HTTPS protocols for command and control communication.

SecureWorks researchers identified a phishing campaign targeting a Middle Eastern organization in January 2017, linked to COBALT GYPSY (Aka OilRig). The attackers employed spear-phishing emails containing shortened URLs redirecting to spoofed domains. Victims were presented with a malicious Microsoft Office document, which executed PowerShell commands when opened, installing PupyRAT, a multi-platform remote access trojan (RAT).

The MacDownloader malware, initially observed targeting the defense industrial base and a human rights advocate, impersonates legitimate software like Adobe Flash Player and Bitdefender Adware Removal Tool to steal system information and macOS Keychain data. It reflects initial development efforts by possibly amateur Iranian-affiliated actors and is linked to previously documented Iranian operations targeting aerospace and defense employees. The malware, which also gathers user credentials, lacks effective persistence features and uses similar infrastructure as previous campaigns attributed to the Iranian group Charming Kitten.

The Iranian threat agent OilRig, active since the end of 2015, has been implicated in a wave of cyber attacks targeting several countries, namely Israel, Turkey, Qatar, Kuwait, UAE, Saudi Arabia, and Lebanon. In their most recent campaigns, they have leveraged advanced strategies, setting up fake VPN portals, counterfeit websites, and using stolen code signing certificates to give their malware an appearance of authenticity. This not only illustrates their high technical capability, but also underscores the complexity and effectiveness of their operations. These attacks have largely targeted IT and financial institutions, causing significant concerns in these sectors.

In mid-November 2016, Mandiant responded to the Shamoon 2.0 malware attack targeting organizations in the Gulf states, marking the return of the suspected Iranian hacker group "Cutting Sword of Justice." This updated version of the 2012 Shamoon malware features embedded credentials, suggesting previous targeted intrusions for credential harvesting. Shamoon 2.0 performs subnet scanning, uses domain-specific credentials for unauthorized access, modifies system registries, and schedules tasks for execution. Its payload involves overwriting system files and wiping boot records, notably shifting imagery from a burning U.S. flag to a photograph of Alan Kurdi, symbolizing a devastating critique through cyber vandalism.

The OilRig cyberattack campaign, first analyzed in May 2016, continues to evolve, targeting government organizations and companies in Saudi Arabia, Qatar, Turkey, Israel, and the United States. Using spear-phishing emails with malicious Microsoft Excel documents, the attackers have updated their toolset, including Clayslide delivery documents and the Helminth backdoor. The malware communicates with remote servers via HTTP and DNS for command and control. Despite its lack of sophistication, the malware successfully operates under the radar in many establishments due to techniques like DNS command and control.

APT34 launched targeted attacks against banks in the Middle East in May 2016. The threat actors sent malicious macro-enabled XLS files in emails to banking sector employees, which then created multiple directories and dropped PowerShell scripts to perform various malicious activities. The macros also unhidden content post-execution, creating a false sense of legitimacy. These files executed various scripts to download additional payloads, gather information, and exfiltrate data over DNS queries, demonstrating the continued effectiveness of macro malware.

In early 2016, the NewsBeef APT (aka Charming Kitten/Newscaster) repurposed the open-source BeEF and Metasploit frameworks in widespread watering hole attacks. These operations targeted visitors to strategically compromised websites, including institutions in Iran, Russia, India, Ukraine, the EU, Turkey, Germany, Japan, China, Brazil, and more. Sectors impacted included education, military, diplomacy, manufacturing, and media. The attackers injected malicious JavaScript to hook browsers, track visitor behavior, and fingerprint systems using evercookies and browser enumeration. While full exploitation wasn’t always observed, selective delivery of backdoors or spoofed login prompts was reported. The group’s campaign reflects an evolution from low-tech social engineering to more technically advanced infrastructure attacks using open-source tools.

Clearsky's "Thamar Reservoir" report details a sustained Iranian cyber-attack campaign targeting over 550 individuals, primarily in the Middle East. The attacks, which began in 2014, used a variety of techniques, including spear-phishing emails with malware, phone calls, and compromised websites to create fake login pages. The attackers were persistent but lacked technical sophistication and made mistakes that aided the investigation. The report concludes that the campaign's targets and methods strongly suggest Iranian state sponsorship, and links it to other known Iranian cyber operations.

This Trend Micro report details the activities of Rocket Kitten, a cyber threat group targeting Israeli and European organisations. The report focuses on two campaigns: a malware campaign using the GHOLE malware, possibly dating back to 2011, and a suspected state-sponsored operation, 'Operation Woolen-GoldFish', involving spear-phishing attacks. Analysis shows possible links to an individual using the alias "Wool3n.H4t", possibly Iranian, and highlights the group's increasing sophistication despite using relatively simple techniques such as macros. The overall aim is to inform readers of Rocket Kitten's methods and suspected politically motivated objectives, suggesting Iranian involvement.

During the 2014 Israel-Gaza conflict, an operation themed "protective edge" spear phishing campaign emerged, targeting Israeli entities. The Gholee malware, delivered via a malicious Excel file named ‘Operation Protective Edge.xlsb’, utilized social engineering and VBA macro execution to compromise systems. The malware featured advanced obfuscation and evasion techniques, including ASCII character encoding and debugger detection, to avoid security measures. It communicated with a server in Kuwait, using an outdated SSL certificate, suggesting sophisticated threat actors possibly linked to state-sponsored activities.

Seculert researchers uncovered a sustained spear-phishing campaign dubbed Mahdi, which relied on malicious Word document attachments delivering a simple malware dropper alongside decoy content related to Iran–Israel electronic warfare. The malware communicated with command-and-control servers using disguised, Google-like web pages, with payload modules Base64-encoded inside HTML. Analysis revealed Farsi language artifacts and Persian calendar dates, suggesting an Iranian nexus. Variants were active from at least December 2011, initially hosted in Iran and later in Canada. The campaign targeted critical infrastructure companies, financial services, and government embassies across Iran, Israel, and other Middle Eastern countries, compromising more than 800 victims over eight months.

The Madi campaign is a long-running cyber espionage operation that has been active for nearly a year, targeting individuals and organizations primarily across Iran, Israel, Afghanistan, and other countries worldwide. The attackers relied on basic but effective social engineering techniques, including spearphishing emails with malicious PowerPoint slide shows and executables disguised using Right-to-Left Override (RTLO) filenames. Once executed, the Delphi-based malware enabled extensive surveillance through keylogging, screenshot capture, audio recording, and large-scale data theft. Victims included government agencies, critical infrastructure engineering firms, financial institutions, academia, and selected individuals whose communications were monitored over extended periods.