{"id":7101,"date":"2017-03-23T16:10:12","date_gmt":"2017-03-24T00:10:12","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/23\/news-892\/"},"modified":"2017-03-23T16:10:12","modified_gmt":"2017-03-24T00:10:12","slug":"news-892","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/03\/23\/news-892\/","title":{"rendered":"New targeted attack against Saudi Arabia Government"},"content":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Thu, 23 Mar 2017 22:26:26 +0000<\/strong><\/p>\n

A new spear phishing campaign\u00a0is targeting Saudi Arabia governmental organizations. The attack originates from a phishing email containing a Word document in Arabic language. If the victim opens it up, it will not only infect their system but send the same phishing document\u00a0to other contacts via their Outlook inbox.<\/p>\n

We know that at least about a dozen Saudi agencies were targeted. As with most email-borne attacks, this one leverages social engineering to execute malicious code via a Macro.<\/p>\n

\"\"<\/a><\/p>\n

Document overview:<\/h3>\n
Macro might run executable<\/span><\/span>  Contains obfuscated macro code<\/span><\/span>  Loads DLL into its own memory<\/span><\/span>  Runs dropped executable<\/span><\/span>  Macro might read system main characteristics<\/span><\/span>  Runs existing executable<\/span><\/span>  Macro might overwrite file<\/span><\/span>  Access Windows sensitive data: Windows Address Book<\/span><\/span>  Suspicious delay<\/span><\/span>  Starts macro code when document is opened<\/span><\/span>  Searches inside certificate store database<\/span><\/span>  Gathers system main data (MachineGuid, ComputerName, SystemBiosVersion ...)<\/span><\/span>  Check user main folders path<\/span><\/span>  Access Windows sensitive data: Windows Profiles information<\/span><\/span>  Contains macro<\/span><\/span>  Contains macro with create file functionalities<\/span><\/span>  Drops .EXE file<\/span><\/span>  Drops .DLL file<\/span><\/span>  Access Windows sensitive data: certificates<\/span><\/span><\/pre>\n
A quick analysis with oletools<\/em> shows us the sections within the macro:<\/p>\n
\"\"<\/p>\n
The payload is embedded in\u00a0the macro as Base64 code. It uses the certutil<\/em> program to decode the Base64 into a PE file which is then\u00a0executed:<\/p>\n
\"\"<\/a><\/p>\n
Binary overview:<\/h3>\n
Searches inside certificate store database<\/span><\/span>  Loads DLL into its own memory<\/span><\/span>  Gathers system main data (MachineGuid, ComputerName, SystemBiosVersion ...)<\/span><\/span>  Access Windows sensitive data: Windows Profiles information<\/span><\/span>  Access Windows sensitive data: Windows Address Book<\/span><\/span>  Drops .DLL file<\/span><\/span>  Drops .EXE file<\/span><\/span>  Access Windows sensitive data: certificates<\/span><\/span><\/pre>\n
Let’s take a look at the dropped binary itself. It is coded in .NET and not obfuscated. Here’s the encrypted payload:<\/p>\n
\"\"<\/a><\/p>\n
Decrypting it we can see the main payload\u00a0(neuro_client.exe\u00a0<\/em>renamed to Firefox-x86-ui.exe <\/em>here) and two helper DLLs:\u00a0\"\"<\/a><\/p>\n
\"\"<\/p>\n
It sets persistence for auto-relaunch via the Task Scheduler:<\/p>\n
\"\"<\/a><\/p>\n
The purpose of this piece of malware appears to be stealing information and uploading it to a remote server:<\/p>\n
\"\"<\/a><\/p>\n
\"\"<\/a><\/p>\n
According to reports from sources, Malwarebytes Anti-Exploit blocked the targeted attack proactively without the use of signature updates thanks to its Application Behavior protection layer for all consumer and corporate users of Malwarebytes. Malwarebytes Anti-Malware also detects and remediates the threat completely.<\/p>\n
We\u00a0will continue to analyze this threat and update the\u00a0post at a later time with more information.<\/p>\n
\"\"<\/a><\/p>\n
\"\"<\/a><\/p>\n
IOCs:<\/h3>\n
Word dropper:<\/p>\n
MD5: 3cd5fa46507657f723719b7809d2d1f9  SHA256: a6dbc36c472b3ba70a98efd0db35e75c340086be15d3c3ab4e39033604d0bcf9<\/pre>\n
Binary payload:<\/p>\n
MD5: 4ed42233962a89deaa89fd7b989db081  SHA256: a96c57c35df18ac20d83b08a88e502071bd0033add0914b951adbd1639b0b873<\/pre>\n
Payload names:<\/p>\n
C:ProgramData**-x86-ui.exe with * being one of these:    firefox|chrome|opera|abby|mozilla|google|hewlet|epson|xerox|ricoh|adobe|corel|java|nvidia|realtek|oracle|winrar|7zip|vmware|juniper|kaspersky|mcafee|symantec|yahoo|goog<\/pre>\n
Network communications:<\/p>\n
mail.spa.gov.sa\/ews\/exchange\/exchange.asmx  webmail.ecra\/ews\/exchange\/exchange.asmx<\/pre>\n
62.149.118.67  85.194.112.9<\/pre>\n
The post New targeted attack against Saudi Arabia Government<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n
https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Credit to Author: Malwarebytes Labs| Date: Thu, 23 Mar 2017 22:26:26 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Several Saudi Arabia organizations are being targeted in a new spear phishing campaign.<\/p>\n
Categories: <\/p>\n