Threat advisories

Top Middle East Cyber Threats- 18 March 2019

Mar-2019 3 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cyber security threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, I share the top cyber security threat our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
Operation Pistacchietto in a Nutshell
Researchers have uncovered a complex new campaign dubbed “Operation Pistaccheitto”. Analysing its ‘hiding in plain sight’ strategy, the developer’s comments, the drafted malware code and the speculations about the possible amateur nature of this actor, we can conclude that their activity has been ongoing for several years. It now has the potential to impact at least four of the main computing platforms: Microsoft Windows hosts, Mac OS X systems, Linux servers and Android mobile devices.
The campaign appears to be personally motivated rather than financially driven or state sponsored. Despite its limited infection numbers, it imposes a potential threat that individuals and companies should not ignore.
Attack Description:
The initial attack begins from a basic Java page, which invites the user to update their current Java version by clicking on a link. This action redirects the user and downloads the file “window-update.hta”. When the user clicks “Update”, it initiates the download of a “.bat” file. The win.bat file appears be written by a script kiddie or to be an initial draft.
This script is found to be composed of two parts: the first is meant to trick users into granting administrative privileges to the system; while the second downloads the malware payload and sets persistence using the Windows Task Scheduler.
The malware downloads the right components based on the machine’s architecture, such as:

A text file containing new actions to execute, from config01.homepc[.it/svc/wup.php?pc=pdf_%computername%
NETCAT utility for Windows (from config01.homepc[.it/win/nc64.exe and config01.homepc[.it/win/nc.exe)
WGET utility for Windows (from config01.homepc[.it/win/wget.exe and config01.homepc[.it/win/wget32.exe)

Other malicious artifacts include:

config01.homepc[.it/win/get.vbs
config01.homepc[.it/win/sys.xml
config01.homepc[.it/win/syskill.xml
config01.homepc[.it/win/office_get.xml
config01.homepc[.it/win/woffice.exe
config01.homepc[.it/win/init.vbs
config01.homepc[.it/win/winsw.exe

Several URLs have been found to be embedded in the script, and these include:

hxxps://github[.com/pistacchietto/Win-Python-Backdoor/raw/master
hxxp://verifiche.ddns[.net/{some_files}

The batch script implants most of the downloaded components into a %windir% folder and one of them, the core of the malware, into the C:\Program Files\Windows Defender. The script then registers some scheduled tasks through “schtasks” to start its functions periodically.
Remediation:

Blacklist all the attack’s Indicators of Compromise (IoCs) on your security appliances to help prevent/detect any activities related to the same.
Exercise caution when receiving unsolicited, unexpected, or suspicious files and emails and when clicking URLs.
Deny local non-admin user devices the privileges need for accessing and modifying content on system files.
Admins must monitor and control the use of file types by individuals in their organization. This includes denying the use of scripts, macro enabled files, etc.

As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.