Threats Feed|Unknown|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date26/09/2017

Saudi Arabian Government Hit by Stealthy Macro Malware

  • Actor Motivations: Espionage
  • Attack Vectors: Malicious Macro,Malware
  • Attack Complexity: Low
  • Threat Risk: Low Impact/High Probability

Threat Overview

A Saudi Arabian Government entity has been targeted by an innovative attack that relies on macros within malicious Word documents and leverages various scripts rather than a binary payload. The attack uses a VBScript to lower security settings within Microsoft Word and Excel and fetches data from Pastebin. A PowerShell script then communicates with the C2 server and exfiltrates data, persistently remaining undetected and continuing to collect information from the targeted system. The primary targeted sector is the Government.

Reference and Credit: Malwarebytes - September 2017

Elaborate scripting-fu used in espionage attack against Saudi Arabia Government entity

Detected Targets

TypeDescriptionConfidence
SectorGovernment Agencies and Services
Verified
RegionSaudi Arabia
Verified

Extracted IOCs

  • arch-tech[.]net
  • heartmade[.]ae
  • itcdubai[.]net
  • larsson-elevator[.]com
  • projac.co[.]uk
  • romix-group[.]com
  • spearhead-training[.]com
  • taxconsultantsdubai[.]ae
  • wmg-global[.]com
  • 144[.]76.109.88
  • 144[.]76.109.88/al/
  • arch-tech[.]net/components/com_layer_slider/senditem.php?c=
  • heartmade[.]ae/plugins/content/contact/senditem.php?c=
  • itcdubai[.]net/action/contact_gtc.php?c=
  • larsson-elevator[.]com/plugins/xmap/com_k2/com.php?c=
  • projac.co[.]uk/senditem.php?c=
  • romix-group[.]com/modules/mod_wrapper/senditem.php?c=
  • spearhead-training[.]com/action/point2.php?c=
  • taxconsultantsdubai[.]ae/wp-content/themes/config.php?c=
  • wmg-global[.]com/wp-content/wp_fast_cache/wmg-global.com/senditem.php?c=
download

Tip: 20 related IOCs (1 IP, 9 domain, 10 URL, 0 email, 0 file hash) to this threat have been found.

Overlaps

MuddyWaterMuddyWater APT Focuses on Espionage in the Middle East: A Technical Analysis

Source: Reaqta - November 2017

Detection (eight cases): 144[.]76.109.88, arch-tech[.]net, heartmade[.]ae, itcdubai[.]net, larsson-elevator[.]com, projac.co[.]uk, romix-group[.]com, taxconsultantsdubai[.]ae

MuddyWaterMuddyWater Targets Middle East Using POWERSTATS Backdoor

Source: Unit 42 - Palo Alto Networks - November 2017

Detection (one case): 144[.]76.109.88

MuddyWaterUnveiling MuddyWater Phishing Campaign: Middle Eastern Governments in the Crosshairs

Source: Security 0wnage - October 2017

Detection (one case): 144[.]76.109.88

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
Unknown
View Unknown's Insights