Security experts at MalwareBytes have spotted a new spear phishing campaign that is targeting Saudi Arabia governmental organizations.
According to the experts, the campaign already targeted about a dozen Saudi agencies. Attackers used weaponized Word document and tricked victims into opening them and enabling macros.
The document is in Arabic language, if the victim opens it up, it will be infected and the phishing document is sent to their contact via Outlook inbox.
The malicious payload is embedded in the macro as Base64 code and leverages the certutil application for decoding into a PE file that is finally executed.
The binary dropped on the infected machine is coded in .NET and its code is encrypted but not obfuscated. The malware was designed to steal information from the victims and upload it to a remote server.
“Decrypting it we can see the main payload (neuro_client.exe renamed to Firefox-x86-ui.exe here) and two helper DLLs” reads the analysis published by MalwareBytes.
The malicious code gains persistence via the Task Scheduler.
MalwareBytes is still monitoring the campaign and plans to provide further information in the future.
I suggest reading the analysis that also includes the IoCs.
(Security Affairs – Saudi Arabia Government, spear phishing)