Threats Feed|Cobalt Gypsy|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date15/02/2017

COBALT GYPSY's Yet Another PupyRAT-driven Phishing Campaign

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: RAT,Spear Phishing
  • Attack Complexity: Medium
  • Threat Risk: Low Impact/High Probability

Threat Overview

SecureWorks researchers identified a phishing campaign targeting a Middle Eastern organization in January 2017, linked to COBALT GYPSY (Aka OilRig). The attackers employed spear-phishing emails containing shortened URLs redirecting to spoofed domains. Victims were presented with a malicious Microsoft Office document, which executed PowerShell commands when opened, installing PupyRAT, a multi-platform remote access trojan (RAT).

Detected Targets

TypeDescriptionConfidence
CaseITWorx
ITWorx is an Egyptian information technology services firm. ITWorx has been targeted by Cobalt Gypsy with abusive purposes.
Verified
CaseMinistry of Commerce and Investment, Saudi Arabia
The Ministry of Commerce is a cabinet-level government ministry of Saudi Arabia responsible for both commerce and investment sectors in the kingdom. Its responsibilities include the development and implementation of policies and mechanisms that govern the sectors of commerce and Investment. Ministry of Commerce and Investment, Saudi Arabia has been targeted by Cobalt Gypsy with abusive purposes.
Verified
CaseMinistry of Health, Saudi Arabia
The Ministry of Health, commonly abbreviated to MoH, is the ministry overseeing the health care and health policy of Saudi Arabia. The ministry is tasked with formulating strategies to ensure public health in the country, while also managing crucial health infrastructure. Ministry of Health, Saudi Arabia has been targeted by Cobalt Gypsy with abusive purposes.
Verified
CaseMinistry of Labor, Saudi Arabia
The Ministry of Human Resources and Social Development is a government ministry in Saudi Arabia was established in 2019 after merging Ministry of Labour and Social Development with Ministry of Civil Service. It is responsible for providing the community with development, support, and protection. Ministry of Labor, Saudi Arabia has been targeted by Cobalt Gypsy with abusive purposes.
Verified
CaseNational Technology Group
National Technology Group (NTG) is a multi-national conglomerate with over 20 specialized Information and Communication Technology (ICT) businesses in the MENA region, South East Asia, South Asia, and the USA, which is headquartered in Riyadh, Saudi Arabia. National Technology Group has been targeted by Cobalt Gypsy with abusive purposes.
Verified
SectorFinancial
Verified
SectorInformation Technology
Verified
SectorOil and Gas
Verified
RegionSaudi Arabia
Verified

Extracted IOCs

  • ntg-sa[.]com
  • itworx.com-ho[.]me
  • mci.com-ho[.]me
  • moh.com-ho[.]me
  • mol.com-ho[.]me
  • 03ea9457bf71d51d8109e737158be888
  • 1b5e33e5a244d2d67d7a09c4ccf16e56
  • 43fad2d62bc23ffdc6d301571135222c
  • 97cb7dc1395918c2f3018c109ab4ea5b
  • 3215021976b933ff76ce3436e828286e124e2527
  • 735f5d7ef0c5129f0574bec3cf3d6b06b052744a
  • 934c51ff1ea00af2cb3b8465f0a3effcf759d866
  • d20168c523058c7a82f6d79ef63ea546c794e57b
  • 66d24a529308d8ab7b27ddd43a6c2db84107b831257efb664044ec4437f9487b
  • 6c195ea18c05bbf091f09873ed9cd533ec7c8de7a831b85690e48290b579634b
  • 8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71
  • e5b643cb6ec30d0d0b458e3f2800609f260a5f15c4ac66faf4ebf384f7976df6
  • 139[.]59.46.154
  • 45[.]32.186.33
  • 89[.]107.62.39
download

Tip: 20 related IOCs (3 IP, 5 domain, 0 URL, 0 email, 12 file hash) to this threat have been found.

Overlaps

Charming KittenCharming Kitten's Cyber Arsenal: Tools and Techniques Explained

Source: InfinitumIT - November 2022

Detection (20 cases): 139[.]59.46.154, 45[.]32.186.33, 89[.]107.62.39, 03ea9457bf71d51d8109e737158be888, 1b5e33e5a244d2d67d7a09c4ccf16e56, 3215021976b933ff76ce3436e828286e124e2527, 43fad2d62bc23ffdc6d301571135222c, 66d24a529308d8ab7b27ddd43a6c2db84107b831257efb664044ec4437f9487b, 6c195ea18c05bbf091f09873ed9cd533ec7c8de7a831b85690e48290b579634b, 735f5d7ef0c5129f0574bec3cf3d6b06b052744a, 8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71, 934c51ff1ea00af2cb3b8465f0a3effcf759d866, 97cb7dc1395918c2f3018c109ab4ea5b, d20168c523058c7a82f6d79ef63ea546c794e57b, e5b643cb6ec30d0d0b458e3f2800609f260a5f15c4ac66faf4ebf384f7976df6, itworx.com-ho[.]me, mci.com-ho[.]me, moh.com-ho[.]me, mol.com-ho[.]me, ntg-sa[.]com

Magic HoundMagic Hound Strikes Saudi Arabia with Spearphishing and PowerShell Attacks

Source: Unit 42 - February 2017

Detection (five cases): 139[.]59.46.154, 89[.]107.62.39, 66d24a529308d8ab7b27ddd43a6c2db84107b831257efb664044ec4437f9487b, 6c195ea18c05bbf091f09873ed9cd533ec7c8de7a831b85690e48290b579634b, e5b643cb6ec30d0d0b458e3f2800609f260a5f15c4ac66faf4ebf384f7976df6

UnknownFrom Spear Phishing to Data Wipe: Unraveling the Shamoon Attacks in the Gulf

Source: IBM - February 2017

Detection (seven cases): 139[.]59.46.154, 03ea9457bf71d51d8109e737158be888, 1b5e33e5a244d2d67d7a09c4ccf16e56, 43fad2d62bc23ffdc6d301571135222c, e5b643cb6ec30d0d0b458e3f2800609f260a5f15c4ac66faf4ebf384f7976df6, mol.com-ho[.]me, ntg-sa[.]com

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.