Threat advisories

Top Middle East Cyber Threats- 1 April 2019

Apr-2019 4 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share the top cyber security threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
1) Malware brings manufacturing to a grinding halt
Norsk Hydro, a Norwegian manufacturing company was recently hit with a ransomware attack that impacted daily operations within its network. As a result of the malware, called LockerGoga, the company was forced to switch to manual mode, wherever possible, or had to temporarily stop its production at several plants as an immediate precaution.
We advise that manufacturing organizations in particular exercise caution as they are more susceptible to this type of attack. A typical manufacturing company’s network consists of devices that were in some cases designed 10 or 15 years ago when security was not a high priority. These remain configured to have many connections to the internal IT network. Thus, once the malware reaches the IT network it then very quickly spreads across the OT network often using the SMB file sharing feature.
Attack Description:
Phishing emails have been found to be the attack vector with employees being tricked into providing attackers with credentials to successful gain remote access to the LTE network.
When executed the ransomware was found to normally target DOC, DOT, WBK, DOCX, DOTX, DOCB, XLM, XLSX, XLTX, XLSB, XLW, PPT, POT, PPS, PPTX, POTX, PPSX, SLDX, and PDF files. While encrypting these files, the ransomware appends the “.locked” extension to the corresponding file names. It then drops the ransom note in the filesystem, informing users of the steps required to retrieve their files.
Known/previously identified file samples for LockerGoga ransomware are ‘worker’ and ‘worker32’. The malware was found to launch a process using names like what Microsoft uses for its Windows Services, such as ‘svch0st’ or ‘svchub’.
The malware appears to have the ability to detect the presence of Virtual Machines and to delete itself from the filesystem to avoid sample collection. The threat actors were able to infect a system that was registered in the Domain Admin Group of the targeted organization. Further, this malicious executable was placed in the Netlogon directory so it could be propagated automatically to every Domain Controller.
Remediations:

Blacklist the attack’s Indicators of Compromise (IoCs) on your security appliances to help prevent/detect any activities related to the same.
Exercise caution when receiving unsolicited, unexpected, or suspicious files/emails/URLs.
Maintain regular backups and conduct health checks for disaster recovery purposes.
Configure your security/network devices to monitor, identify and deny any suspicious activity based on the observed behaviour or detected IoCs.

2) WinRAR being exploited by Goldmouse APT Group
The Goldmouse APT group (APT-C-27) has been exploiting the WinRAR vulnerability to carry out a new set of attacks. This exploit (CVE-2018-20250[6]) is used to hide the njRAT backdoor from targeted users. The vulnerability resides in the “WinRAR UNACEV2.DLL” library and since it has already been patched, attackers aim to exploit and compromise unpatched systems.
Targeted users have mainly been from the Middle East and are being targeted with decoy Word documents to compromise and control their devices.
Attack Description:
The attack is carried out by sending out the compressed WinRAR exploit using word documents, which are embedded with njRAT backdoor drops. This backdoor file, disguised as a legitimate desktop version of the Telegram app (Telegram Desktop.exe), is extracted to the start-up folder.
Once the victim decompresses the attached archive on the system that contains this unpatched WinRAR, the embedded backdoor is extracted to the start-up folder with the name ‘Telegram Desktop’. The TelegramDesktop.exe decodes the data through Base64 and executes the decoded binaries directly in memory to drop the final njRAT backdoor.
njRAT performs various evasion techniques to shut down the firewall and communicates with the Command and Control servers (C&Cs) to perform various malicious operation via a remote SHELL, plug-in support, remote desktop, file management, etc.
Remediations:

Blacklist the attack’s listed Indicators of Compromise (IoCs) on your security appliances to help prevent/detect any activities related to the same.
Exercise caution when receiving unsolicited, unexpected, or suspicious files/emails/URLs.
The software vendor has released the latest version of WinRAR and it is recommended that users upgrade to this latest patched version (WinRAR 5.70 beta 1):
- 32 Bits：http://win-rar.com/fileadmin/winrar-versions/wrar57b1.exe
- 64 Bits：http://win-rar.com/fileadmin/winrar-versions/winrar-x64-57b1.exe
If the patch cannot be installed at this moment, you can directly delete the vulnerable DLL (UNACEV2.DLL). This does not affect the normal usage, but just reports an error when encountering ACE archives.

As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.