The researchers Paul Rascagneres with help of Martin Lee, from CISCO TALOS, described a campaign of targeted attacks against the middle east with key elements present: Geopolitical interest at stake, once documents pertaining Research House Dar EL-Jaleel, that research on Israeli-Palestinian conflict and Sunni-Shia conflict with Iran, are being used.
Second, the extensive use of scripting languages (VBScript, PowerShell, VBA) as part of the attack vector, once they are used to be dynamically loaded and execute VBScript functions stored in a Command & Control server.
Third, the attacker had deployed a series of sophisticated countermeasures to hide his identification using Operation Security (OPSEC), utilization of reconnaissance scripts to validate the victim machine according to his criteria, utilization of CloudFlare system to hide the IP and infrastructure and finally using filters on connections based on User-Agent strings to use the infrastructure for short periods of time before vanishing going offline.
Regarding the analysis in the report, the script campaign is divided into a series of steps to further advance the widespread of the infection. The VBS campaign is composed of 4 steps with additional payloads and 3 distinct functions that are: Reconnaissance, Persistence, and Pivoting.
According to the report the first stage starts with a VBScript named من داخل حرب ايران السرية في سوريا.vbs (“From inside Iran’s secret war in Syria.vbs”) that is aimed to create in the second stage a PowerShell script that will generate a Microsoft Office document named Report.doc and to open it. On the third stage, the opened document contains a macro that creates a WSF (Windows Script File) file to be executed. On the fourth stage the script contains configuration information such as: The hostname of the command and control server, the port used 2095 and the User-Agent.
As the report notice, the User-Agent strings are being used to the identification of targets, while the command and control server filter these strings to only allow connections based in these criteria. The script tries to register the infected system with an HTTP request, which in turn executes an infinite loop to further download and use other payloads. The researchers discovered three types of additional payloads that are the following: s0, s1, and s2. These payloads for WSF scripts are VBScript functions that are loaded and executed in ExecuteGlobal() and GetRef() APIs. The difference between the payloads resides on the number of arguments supplied to execute the function.
The researchers found out a reconnaissance function in the earlier steps of the campaign that was intended to acquire information on the targeted system, verify if it contained significant information or if it was a sandbox machine. The hackers layered out a methodology composed of these steps: first acquiring the serial number of disk volume, and then using a payload to acquire information on any anti-virus software present on the system. Next, by querying ipify.org the hackers tried to obtain the IP address of the infected machines to further obtain the computer name, username, operating system and architecture.
A second function is used to list the drives on the system and its type.
Finally, the researchers cover the remaining two functions: Persistence and Pivoting. Persistence functions were used alongside the reconnaissance functions linked to the WSF script. While the first script was used to persist, the second was used to clean the infected system to cover its tracks. Regarding the Pivoting function, it receives an argument where the PowerShell script executes a second base64 encoded script intended to download shellcode from 18.104.22.168 to be mapped in the memory and then executed.
As the researchers noticed, the hackers behind the campaign had been very careful to protect their infrastructure and their code against the leak. The command and control server was protected by CloudFlare to avoid tracking and difficult the analysis. Furthermore, by using filters on the User-Agents the hackers selected requests that only meet their criteria.
The Threat Actor was only seen active during the morning, on the Central European Time zone, to unleash their attacks and payloads. Once infected the operating system receives the pivot function to disable the firewall and allow the unique IP to receive the shellcode. Next, the server becomes unreachable. The researchers point out: “This high level of OPSEC is exceptional even among presumed state-sponsored threat actors”.
The researchers also noticed some similarities with Jenxcus (Houdini/H-Worn), but it was not clear if it is a new version or an adaption. They for sure agree that it is far more advanced in the resources it presents. The researchers state:
“This document is a weekly report about the major events occurring during the 1st week of November 2017, talking about the most important events happening in Jordan, Iraq, Syria, Lebanon, Palestine, Israel, Russia, ISIS and the ongoing Gulf Countries conflict with Qatar. These campaigns show us that at least one threat actor is interested in and targeting the Middle East. Due to the nature of the decoy documents, we can conclude that the intended targets have an interest in the geopolitical context of the region”.
About the author Luis Nakamoto
Luis Nakamoto is a Computer Science student of Cryptology and an enthusiastic of information security having participated in groups like Comissão Especial de Direito Digital e Compliance (OAB/SP) and CCBS (Consciência Cibernética Brasil) as a researcher in new technologies related to ethical hacking, forensics and reverse engineering. Also, a prolific and compulsive writer participating as a Redactor to Portal Tic from Sebrae Nacional.
(Security Affairs – Middle East, hacking)