Threats Feed|Magic Hound|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date15/02/2017

Magic Hound Strikes Saudi Arabia with Spearphishing and PowerShell Attacks

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Backdoor,Malicious Macro,RAT,Spear Phishing
  • Attack Complexity: Medium
  • Threat Risk: Low Impact/High Probability

Threat Overview

The report details the Magic Hound cyber campaign targeting primarily Saudi Arabia. The campaign leveraged spearphishing emails with malicious attachments and links, PowerShell scripts, Windows Command Shell, and obfuscation techniques like XOR and Base64 encoding. Additionally, the attackers utilized HTTP and HTTPS protocols for command and control communication.

Reference and Credit: Unit 42 - February 2017

Magic Hound Campaign Attacks Saudi Targets

Detected Targets

TypeDescriptionConfidence
CaseMinistry of Commerce and Investment, Saudi Arabia
The Ministry of Commerce is a cabinet-level government ministry of Saudi Arabia responsible for both commerce and investment sectors in the kingdom. Its responsibilities include the development and implementation of policies and mechanisms that govern the sectors of commerce and Investment. Ministry of Commerce and Investment, Saudi Arabia has been targeted by Magic Hound with abusive purposes.
Verified
CaseMinistry of Health, Saudi Arabia
The Ministry of Health, commonly abbreviated to MoH, is the ministry overseeing the health care and health policy of Saudi Arabia. The ministry is tasked with formulating strategies to ensure public health in the country, while also managing crucial health infrastructure. Ministry of Health, Saudi Arabia has been targeted by Magic Hound with abusive purposes.
Verified
CaseMinistry of Labor, Saudi Arabia
The Ministry of Human Resources and Social Development is a government ministry in Saudi Arabia was established in 2019 after merging Ministry of Labour and Social Development with Ministry of Civil Service. It is responsible for providing the community with development, support, and protection. Ministry of Labor, Saudi Arabia has been targeted by Magic Hound with abusive purposes.
Verified
CaseNational Technology Group
National Technology Group (NTG) is a multi-national conglomerate with over 20 specialized Information and Communication Technology (ICT) businesses in the MENA region, South East Asia, South Asia, and the USA, which is headquartered in Riyadh, Saudi Arabia. National Technology Group has been targeted by Magic Hound with abusive purposes.
Verified
SectorGovernment Agencies and Services
Verified
SectorInformation Technology
Verified
SectorEnergy
Verified
RegionSaudi Arabia
Verified

Extracted IOCs

  • analytics-google[.]org
  • microsoftexplorerservices[.]cloud
  • msservice[.]site
  • timezone[.]live
  • service1.chrome-up[.]date
  • service.chrome-up[.]date
  • servicesystem.serveirc[.]com
  • syn.timezone[.]live
  • www1.chrome-up[.]date
  • www3.chrome-up[.]date
  • www5.chrome-up[.]date
  • www7.chrome-up[.]date
  • www.microsoftsubsystem.com-adm[.]in
  • 0d3ae682868cb3ff069ec52e1ffc5ef765453fd78e47b6366d96aebb09afd8ab
  • 133959be8313a372f7a8d95762722a6ca02bc30aaffde0cbcf6ba402426d02f5
  • 16d87fbd8667677da1af5433b6d797438f8dc0ab565fb40ecb29f83f148888cd
  • 1c3e527e496c4b0594a403d6d582bc6db3029d27369720d0d5122f862b10d8f1
  • 1c550dc73b7a39b0cd21d3de7e6c26ece156253ac96f032efc0e7fcc6bc872ce
  • 218fac3d0639c0d762fcf71685bcf6b64c33d1533df03b4cf223d9b07ca1e3c2
  • 29a659fb0ef0262e4de0dc3c6a140677b6ddee13c1819b791bd280be0547e309
  • 2f7f3582504fbce349a6991fbb3b5f9577c5c014b6ce889b80d51977fa6fb31a
  • 3161f9087d89a2d036ea32741d5a006c6bb279d36ff8d1acde63f2e354f8c502
  • 33ee8a57e142e752a9c8960c4f38b5d3ff82bf17ec060e4114f5b15d22aa902e
  • 388b26e22f75a723ce69ad820b61dd8b75e260d3c61d74ff21d2073c56ea565d
  • 3f23972a0e80983351bedf6ad45ac8cd63669d3f1c76f8834c129a9e0418fff1
  • 4beee6e7aa244335e161fdc05296ea100090c2114b4ff2e782e3ee3e1f936fdf
  • 528714aaaa4a083e72599c32c18aa146db503eee80da236b20aea11aa43bdf62
  • 5469facc266d5582bd387d69032a91c8fff373213b66a2f0852666e72bcdc1da
  • 5e0e09c9860b293c4c9a2382a7392963adc54d6a23440abb9a2d89c50f8fd305
  • 66d24a529308d8ab7b27ddd43a6c2db84107b831257efb664044ec4437f9487b
  • 68db2b363a88b061cc9063535f3920673f1f08d985b14cb52b898ced6c0f8964
  • 6a7537f2cedbf453114cfba086e4746e698713777fb4fa4fc8964247dde741ed
  • 6c195ea18c05bbf091f09873ed9cd533ec7c8de7a831b85690e48290b579634b
  • 6d1a50ca3e80442fa3e2caca86c166ed60bef32c2d0af7352cd227303cdec031
  • 71e584e7e1fb3cf2689f549192fe3a82fd4cd8ee7c42c15d736ebad47b028087
  • 79c9894b50cde62b182bd1560060c5c2bf5a1cef2b8afdffc4766e8c55ff6932
  • 7cdbf5c035a64cb6c7ee8c204ad42b4a507b1fde5e6708ea2486942d0d358823
  • 7e57e35f8fce0efc3b944a7545736fa419e9888514fcd9e098c883b8d85e7e73
  • 82779504d3fa0ffc8506ab69de9cb4d8f6415adbb11a9b8312828c539cf10190
  • 860f4cd44371a180a99bc16526f54f8b051c420a3df334d05d569d0cdadac3d2
  • 86d3409c908f667dd298b6a7e1e17652bb29af73e7daed4a5e945fbdf742e9f4
  • 8c2e4aa8d73ad2e48d70dfa18abea62769c7bef59c8c1607720f4f6162413f75
  • 92bc7d04445cf67aa7ddf15792cd62778d2d774d06616d1986f4c389b3d463f5
  • 97943739ccf8a00036dd3cdd0ba48e17a82ab9b65cc22c17c6e6258e72bb9ade
  • 9e4d2e983f8a807f741f8873e6fa5d222dc6f3b358ccfc3a6c700398b342f656
  • a390365ddfcce146a8fa8435022f19b9a1be29f2b11a049cb660ec53f36beb06
  • abe8e86b787998a07411ee24f3f3d8a79e37c6da539650ceed566b081f968c26
  • af0ae0fa877f921d198239b7c722e12d14b2aa32fdfadaa37b47f558ae366de9
  • b2ea3fcd2bc493a5ac86e47029b076716ed22ef4487f9090f4aa1923a48015d6
  • b42b1186211633c2d47f3d815f0371ba234fee2ed0f26e487badc58e1ab81061
  • b6c159cad5a867895fd41c103455cebd361fc32d047b573321280b1451bf151c
  • ba3560d3c789984ca29d80f0a2ea38a224e776087e0f28104569630f870adaf4
  • c21074f340665935e6afe2a972c8d1ab517954e2dd05cc73e5ff0e8df587b99d
  • c3a8f5176351e87d28f45e58c79bb6646bb5d94ade7a24c6556514c860004143
  • ca6e823dedd6ca5fada2b1fa63d0acb288027f5a3cdd2c60dcace3c424c5ced0
  • cfce4827106c79a81eef6d3a0618c90bf5f15936036873573db76bed7e8a0864
  • d08d737fa59edbea4568100cf83cff7bf930087aaa640f1b4edf48eea4e07b19
  • d2ffc757a12817e4b58b3d58d71da951b177dedd3f65ca41fad04a03fc63fac6
  • d8731a94d17e0740184910ec81ba703bad5ff7afc92ba056f200533f668e07bf
  • da2abdc951e4b2272fea5c8989debd22e26350bab4b4219104bccec5b8a7ff5a
  • db453b8de1a01a3e4d963847c0a0a45fb7e1a9b9e6d291c8883c74019f2fc91f
  • e57f77cc3d117923ec01aa0e044edc11b1042e57993ca7f74d971630893ca263
  • e5b643cb6ec30d0d0b458e3f2800609f260a5f15c4ac66faf4ebf384f7976df6
  • e837f6b814c09900726dac2cf55f41babf361152875ba2a765a34ee5cc496087
  • ea139a73f8ec75ea60dfa87027c7c3ef4ed61b45e1acb5d1650cc54e658984ba
  • eaaecabb439c81e522d9f5681fdb047ee62381e763f0d9646e68cd507479ba5a
  • f0ecc4388f0d84501499711681a64a74c5d95e0bb6a2174cbe3744bd5a456396
  • f912d40de9fe9a726448c1d84dfba2d4941f57210b2dbc035f5d34d68e8ac143
  • 104[.]218.120.128
  • 104[.]238.184.252
  • 139[.]59.46.154
  • 45[.]56.123.129
  • 45[.]58.37.142
  • 45[.]76.128.165
  • 69[.]87.223.26
  • 89[.]107.60.11
  • 89[.]107.62.39
download

Tip: 77 related IOCs (9 IP, 13 domain, 0 URL, 0 email, 55 file hash) to this threat have been found.

Overlaps

Charming KittenCharming Kitten's Cyber Arsenal: Tools and Techniques Explained

Source: InfinitumIT - November 2022

Detection (five cases): 139[.]59.46.154, 89[.]107.62.39, 66d24a529308d8ab7b27ddd43a6c2db84107b831257efb664044ec4437f9487b, 6c195ea18c05bbf091f09873ed9cd533ec7c8de7a831b85690e48290b579634b, e5b643cb6ec30d0d0b458e3f2800609f260a5f15c4ac66faf4ebf384f7976df6

UnknownFrom Spear Phishing to Data Wipe: Unraveling the Shamoon Attacks in the Gulf

Source: IBM - February 2017

Detection (four cases): 139[.]59.46.154, 45[.]76.128.165, 528714aaaa4a083e72599c32c18aa146db503eee80da236b20aea11aa43bdf62, e5b643cb6ec30d0d0b458e3f2800609f260a5f15c4ac66faf4ebf384f7976df6

Cobalt GypsyCOBALT GYPSY's Yet Another PupyRAT-driven Phishing Campaign

Source: Secureworks - February 2017

Detection (five cases): 139[.]59.46.154, 89[.]107.62.39, 66d24a529308d8ab7b27ddd43a6c2db84107b831257efb664044ec4437f9487b, 6c195ea18c05bbf091f09873ed9cd533ec7c8de7a831b85690e48290b579634b, e5b643cb6ec30d0d0b458e3f2800609f260a5f15c4ac66faf4ebf384f7976df6

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
Magic Hound
Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.
View Magic Hound's Insights