Delaware, USA – October 3, 2017 – Researchers from Malwarebytes Lab reported a malicious campaign against Governmental entities in Saudi Arabia. Over the past year, Saudi Arabia has become the target of several large-scale cyber attacks: according to researchers from Kaspersky Lab, about 60 percent of organizations in this country were attacked by various malware. The purpose of the last campaign is cyberespionage. Attackers send emails with a malicious attachment – MS Word document with macros. The difference from other attacks is that the included macros do not download additional payload. Instead, they first try to modify the registry keys that are responsible for security settings of MS Office applications, and then determine the IP address of the infected machine and download PowerShell and VB scripts from the control server. The VB script is responsible for persistence and executing PowerShell script, which communicates with C2 server, encrypts and transmits the data. Also, this script can remotely run adversaries’ commands.
Attackers use directed phishing – emails are disguised as documents of one of the government agencies. Unfortunately, this technique is invariably successful, and it is necessary to conduct regular security awareness training in order to reduce the risks of such infection. In addition, these attacks use new malware that can remain hidden from antivirus solutions. To detect such attacks, you can use analytical package APT Framework from Use Case Cloud, which leverages existing security technologies, as well as methods of behavioral analysis and statistical profiling.