1) Middle East Government and Education Sectors Under Attack

Organizations in the Middle East have once again come under attack from a cyber crime group. ‘DarkHydrus’ appears to specifically target government entities and educational institutions across the Middle East and according to our vendor partner Palo Alto Networks, the Group has been in operation since 2016. In their most recent attack which was first detected last week, they have leveraged spear-phishing to deliver a PowerShell payload called RogueRobin. In addition to this, the Group has been carrying out a credential harvesting campaign since June 2018, and an educational entity in the region was targeted with an email bearing the subject line ‘Project Offer’ which had a malicious Word document as the attachment.

Attack Description:

The credential harvesting attacks are being carried using spear-phishing emails that contain malicious Microsoft Office documents, leveraging the ‘Attached Template’ technique to load a template from a remote server. When attempting to load this remote template, Microsoft Office will display an authentication dialogue box for (0utl00k[.]net) asking the user to provide login credentials. When entered, these credentials are then sent to the attacker’s Command and Control (C2) server, which allows DarkHydrus to collect user account credentials.

DarkHydrus uses an open-source tool called ‘Phishery’ to create two of the known Word documents used in these credential harvesting attacks. Phishery is capable of the following:

  • Creating malicious Word documents by injecting a remote template URL
  • Hosting a C2 server to gather credentials entered into authentication dialogue boxes displayed when attempting to obtain the remote template

The Group also maintains its own C2 domain in an attempt to further trick targeted users into entering their credentials. The 0utl00k[.]net domain resembles Microsoft’s legitimate “outlook.com” site that provides free email services. This makes the user less suspicious and more likely to enter their credentials. Some users may not even notice what domain the dialogue states they are connecting to and therefore habitually type in their Windows credentials.

Recommendations:

  • Practise robust email filtering to ensure users receive fewer emails that contain spams or potential malicious attachments.
  • Educate users on Social engineering and Phishing/Spear Phishing emails. They should be trained not to open unexpected emails but rather report them to IT security.
  • Block attachments, remove local administrative rights, and block network access to any identified C2 servers used by ransomware.
  • Ensure that the C2 server 0utl00k[.]net is classified as malware.
  • Notify security teams in case of any suspicious activity which involves requests for user credentials.
  • Ensure AV at endpoints is being properly updated and check to ensure the AV has signatures for all the known bad hashes.
  • Ensure proper controls are in place to scan inbound emails such as usage of sandbox technology to scan incoming emails.
  • Keep operating system patches up-to-date.
2) Cryptominers Go on the Prowl

By all indications, the infamous ‘Dharma’ ransomware appears all set to begin a massive infection campaign. This new variant of the Dharma ransomware encrypts data files with a different file extension. After entering the system, the malware now encrypts all files with a .cmb extension.

Attack Description:

Distributed through hacked Remote Desktop Services, the Dharma ransomware family, including this .cmb variant, is installed manually by attackers hacking into computers over Remote Desktop Protocol Services. The attackers scan the Internet for computers running RDP, usually on TCP port 3389, and then attempt to brute force the password for the computer. Once they gain access to the system they install the ransomware and let it encrypt the computer. As a variant of the CrySiS ransomware family, the Dharma .cmb ransomware has been reported to drop one or more executable files in the %AppData% Windows directory.

This ransomware will encrypt mapped network drives, shared virtual machine host drives, and unmapped network shares. While encrypting a file, it will append an extension in the format of .id-[id].[email].cmb, creating two different ransom notes on the infected computer. One is the Info.hta file, which is launched by an autorun protocol when the victim logs into the infected computer, and the other note is called FILES ENCRYPTED.txt and can be found on the desktop.

Finally, the ransomware configures itself to automatically start when the victim logs in to the endpoint, thus allowing it to encrypt new files that are created since it was last executed. Both ransom notes contain instructions to contact paymentbtc@firemail.cc in order to get payment instructions.

Recommendations:

  • Maintain a reliable and tested backup of your data that can be restored in the case of an emergency.
  • Make sure the RDP is locked down correctly. This includes making sure that no computers running remote desktop services are connected directly to the Internet. Instead place them behind VPNs so that they are accessible only to those who have VPN accounts on your network.
  • It is also important to set up proper account lockout policies to prevent brute force attempts on user accounts.
  • Change the default listening port for Remote Desktop- this offers effective protection against the latest RDP worms.
  • Make sure all endpoint, services, and tools are updated on a regular basis.
  • Educate users on creating and utilizing complex passwords and never reusing the same password for multiple services.
  • Implement two-factor authentication on highly sensitive systems.

As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.

Blog By:

Ben Abraham, CSOC Lead at Help AG