TOP MIDDLE EAST CYBER THREATS-1 MARCH 2018
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures for some of the largest enterprises in the region. As a result of this, they have their eyes keenly fixed on the cyber security threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, I share the top three cyber security threats that our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
OopsIE Spearphishing against the Middle East Financial Sector
Our vendor partner Palo Alto Network has detected a resurgence of OilRig, the highly active hacker group previously linked to Iran. The Group’s latest string of attacks targets insurance and finance organizations with a spear phishing campaign aimed at delivering malware. The attackers have utilized email address spoofing to make it appear such that the highly customized malicious emails originate from a reputed global financial organization.
Attackers have also been careful to modify this attack, a variant on what they executed a year ago, in order to penetrate organizations that implemented measures against known OilRig TTPs. As part of the attack, they download the OopsIE Trojan, which is packed with Smart Assembly and uses ConfuserEx for obfuscation. This Trojan uses IE application object for connecting to C2 thereby making it look like legitimate browser request. This can then further download a file, run a command, upload content etc. To learn more about OopsIE, its indicators of compromise and recommended protection measures, I would highly recommend reading this excellent technical blog by Palo Alto Networks.
OMG: Mirai Evolves to Target IoT Devices
Hackers are levering a new strain of the Mirai botnet, called OMG, to turn IoT devices into proxy servers. This move aligns with the recent rise in crypto mining malware (which we discussed in our Threat report on 15 February) as access to compromised proxies can be sold to cyber criminals for mining cryptocurrency. Of course, this access can also be leveraged to mask cyber-attacks behind a high level of anonymity.
This October 2016 article by Brian Krebs provides excellent insight into how converting IoT devices into proxy servers can be monetized by cyber criminals. And as financial gain remains one of the key motivations for attackers, there is no doubt that more and more Mirai-based bots are going to emerge with new methods of monetization.
Malicious Document Spreading Remote Admin Tools (RAT) Malware
Malware creators are always finding new ways to distribute their code via social media and malicious documents. This latest attack involves the use of a Rich-Text Format (RTF) document containing multiple Excel sheets with embedded macros. The inclusion of multiple sheets causes multiple pop-ups to be displayed, warning users about the macros and we have observed up to 10 such sheets in a single RTF document. So even if a user clicks ‘Disable Macros’ on the first pop-up, they are greeted with yet another warning. Breaking out of this loop requires users to either address all the pop-ups or force-quit Word- dramatically increasing the chances of infection by exploiting human behavior.
Once enabled, the macros begin a process which ultimately results in the download of the NetwiredRC and QusarRat malware payloads- both of which are Remote Admin Tools (RATs) with powerful features that include remote webcam, remote shell and keylogging. Similarly, NetwiredRC has features like find file, remote shell, keylogging, screen capture, and password stealing.
As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.
Majid Khan, Manager Cybersecurity Managed Services at Help AG