Security researchers at MalwareBytes have uncovered a spearphishing campaign that targeted Saudi Arabia Government organizations.
Security experts at MalwareBytes have spotted a new spear phishing campaign that is targeting Saudi Arabia governmental organizations.
According to the experts, the campaign already targeted about a dozen Saudi agencies. Attackers used weaponized Word document and tricked victims into opening them and enabling macros.
The document is in Arabic language, if the victim opens it up, it will be infected and the phishing document is sent to their contact via Outlook inbox.
The malicious payload is embedded in the macro as Base64 code and leverages the certutil application for decoding into a PE file that is finally executed.
The binary dropped on the infected machine is coded in .NET and its code is encrypted but not obfuscated. The malware was designed to steal information from the victims and upload it to a remote server.
“Decrypting it we can see the main payload (neuro_client.exe renamed to Firefox-x86-ui.exe here) and two helper DLLs” reads the analysis published by MalwareBytes.
The malicious code gains persistence via the Task Scheduler.
MalwareBytes is still monitoring the campaign and plans to provide further information in the future.
I suggest reading the analysis that also includes the IoCs.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.