## SoftwareVulnerability InformationReputation CenterSupport Communities BACK [Vulnerability Information](http://www.talosintelligence.com/vulnerability_info) SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community # Targeted Attacks In The Middle East [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) [Reputation Center](http://www.talosintelligence.com/reputation) [This blog post is authored by Paul Rascagneres with assistance of Martin Lee. RazorbackIP BlacklisProject Ast Downloadpis](http://www.talosintelligence.com/razorback) Library ### EXECUTIVE SUMMARY DaemonloggerAWBO ExercisesSpamCop Mo�ow [Support CommunitiesTalos has identi�ed a targeted attacks affecting the Middle East. This campaign contains the](http://www.talosintelligence.com/community) following elements, which are described in detail in this article. PE-Sig About [The use of allegedly con�dential decoy documents purported to be written by theImmunet](http://www.talosintelligence.com/immunet) Jordanian publishing and research house, Dar El-Jaleel. This institute is known for Careers Teslacrypt Decryption Tool [their research of the Palestinian-Israeli con�ict and the Sunni-Shia con�ict within Iran.](http://www.talosintelligence.com/teslacrypt_tool) [The attacker extensively used scripting languages (VBScript, PowerShell, VBA) as part](http://www.talosintelligence.com/mbrfilter) MBR Filter Blog [of their attack. These scripts are used to dynamically load and execute VBScript](http://blog.talosintelligence.com/) functions retrieved from a Command & Control server.FIRST |Software W E D N E S D AY, F E B R U A R Y 7, 2 0 1 8|h as ks ibe ial ar an- sc are mm| |---|---| |Vulnerability Information Targeted Attacks In T|| |Reputation Center This blog post is authored by Paul R|| |Library EXECUTIVE SUMMARY|| |STuaplopso rht aCso midemnutin¡ietides a targeted attac following elements, which are descr|| |About The use of allegedly con¡dent|| |Jordanian publishing and rese Careers their research of the Palestini|| |The attacker extensively used Blog of their attack. These scripts functions retrieved from a Co|| The attacker demonstrates excellent operational security (OPSEC). The attacker was LockyDump [particularly careful to camou�age their infrastructure. During our investigation, the](http://www.talosintelligence.com/lockydump) attacker deployed several reconnaissance scripts in order to check the validity of FreeSentry victim machine, blocking systems that don't meet their criteria. The attacker uses the reputable CloudFlare system to hide the nature and location of their infrastructure. Flokibot Tools Additionally, the attacker �lters connections based on their User-Agent strings, and only enables their infrastructure for short periods of time before blocking all Synful Knock Scanner connections. Cisco Smart Install Scanner This is not the �rst targeted campaign against the region that uses Dar El-Jaleel decoy ROPMEMU [documents which we have investigated. However, we have no indication that the previous](http://www.talosintelligence.com/ropmemu) campaigns are related. ### VBS CAMPAIGN Stage 1: VBScript BASS PyREBox File2pcap Decept Mutiny Fuzzer The campaign starts with a VBScript named ����ر �� �����ا ا��ان ��ب ��دا ��.vbs ("From inside Iran's secret war in Syria.vbs"). Here are the script contents: ----- BACK Software [Vulnerability InformationThe purpose of this script is to create the second stage PowerShell script described in the nextSnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community](http://www.talosintelligence.com/vulnerability_info) section. [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) RazorbackIP Blacklist DownloadProject Aspis [LibraryThe goal of the generated PowerShell script is to create a Microsoft O�ce document named](http://www.talosintelligence.com/resources) DaemonloggerAWBO ExercisesSpamCop Mo�ow [Support Communities](http://www.talosintelligence.com/community) ### Stage 3: Office Document With Macros PE-Sig [AboutHere is a screenshot of the O�ce document:](http://www.talosintelligence.com/about) Immunet |Software|te t ell ith ocu| |---|---| |VTuhlnee praubrpiliotys eIn ofof rtmhiast isocnript is to crea section.|| |Reputation Center Stage 2: PowerShell Script|| |LTibhrea rgyoal of the generated PowerSh Report.doc and to open it.|| |Support Communities Stage 3: Office Document W|| |AHbeoruet is a screenshot of the O£ce d|| |Careers|| |Blog|| Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BASS PyREBox File2pcap Decept Mutiny Fuzzer ----- [Palestinian-Israeli con�ict and the Sunni-Shia con�ict in Iran. Tagged as con�dential, the](http://www.talosintelligence.com/) document is an analysis report on Iranian activities within the Syrian civil war. BACK SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community |Software This document contains a Macro:|Col2| |---|---| |Vulnerability Information|| |Reputation Center|| |Library|| |Support Communities|| |About|| |Careers|| |Blog|| Flokibot Tools Synful Knock Scanner The purpose of this Macro in to create a WSF (Windows Script File) �le and to execute it. [Vulnerability Information](http://www.talosintelligence.com/vulnerability_info) SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) [Reputation Center](http://www.talosintelligence.com/reputation) RazorbackIP Blacklist DownloadProject Aspis Library DaemonloggerAWBO ExercisesSpamCop Mo�ow [Support Communities](http://www.talosintelligence.com/community) PE-Sig Immunet Careers Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry ### Stage 4: WSF Script Cisco Smart Install Scanner ROPMEMU The created WSF script is the main part of the infection: BASS PyREBox File2pcap Decept [Mutiny Fuzzer](https://3.bp.blogspot.com/-W1U2mwenCgQ/Wnl_vX4m3GI/AAAAAAAAASY/4wCgN6V2INM3gamVFJ4sdkUkWE_O95GTwCLcBGAs/s1600/image1.png) ----- Software BACK [Vulnerability Information](http://www.talosintelligence.com/vulnerability_info) SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) [The top of the script contains con�guration information:](http://www.talosintelligence.com/reputation) [Reputation Center](http://www.talosintelligence.com/reputation) RazorbackIP Blacklist DownloadProject Aspis [the hostname of the Command & Control - o�ce-update[.]services,](http://www.talosintelligence.com/resources) DaemonloggerAWBO ExercisesSpamCop the User-Agent - iq.46 Mo�ow [Support Communities](http://www.talosintelligence.com/community) |-377312201708161011591678891211899134718141815539111937189811 PE-Sig About The User-Agent is used to identify the targets. The CC �lters network connections based on this Immunet string, only allowing through connections made with authorised User-Agent strings. Careers Teslacrypt Decryption Tool The �rst task of the script is to register the infected system by performing an HTTP request to [http://o�ce-update[.]services:2095/store. Next, the script executes an in�nite loop, attempting toMBR Filter](http://www.talosintelligence.com/mbrfilter) Blog contact the /search URI every 5 seconds in order to download and execute additional payloads. FIRST |Software|gur d 788 he ctio te sto on| |---|---| |Vulnerability Information|| |The top of the script contains con¡ Reputation Center|| |the hostname of the Comman Library the port - 2095,|| |the User-Agent - iq.46- Support Communities |-3773122017081610115916|| |About The User-Agent is used to identify t|| |string, only allowing through conne Careers The ¡rst task of the script is to regis|| |http://o£ce-update[.]services:2095/ Blog contact the /search URI every 5 sec|| ### Additional Payloads LockyDump [The WSF script receives payloads of three types, named s0, s1, s2. The payloads are VBScript](http://www.talosintelligence.com/freesentry) FreeSentry functions loaded and executed on the �y with the ExecuteGlobal() and GetRef() APIs. The only [differences between s0,s1 and s2 type payloads are the number of arguments supplied to theFlokibot Tools](http://www.talosintelligence.com/flokibot) executing function. s0 does not require any arguments, s1 accepts one argument, and s2 two arguments. Synful Knock Scanner Cisco Smart Install Scanner The downloaded payload functions are obfuscated, here is an example of the raw data: ROPMEMU BASS PyREBox The �rst element is the function type (s0), followed by a separator '-|-'. The second element is the [obfuscated function; this consists of ASCII values, separated by '*'. For example the above data](http://www.talosintelligence.com/file2pcap) File2pcap decodes as: 45: 54: 6 53: 5 43: + 49: 1 52: 4 Decept Mutiny Fuzzer ----- 53: 5 BACK SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) [42: *](http://www.talosintelligence.com/reputation) [Reputation Center](http://www.talosintelligence.com/reputation) [Hence, the decoded data is "-65+148*535-418*". Then follows a second step, again using '*' as aRazorbackIP Blacklist DownloadProject Aspis](http://www.talosintelligence.com/razorback) separator. Each mathematical operation is resolved to obtain a new ASCII value: Library DaemonloggerAWBO ExercisesSpamCop 535-419 = 117 -> "u" Mo�ow [Support Communities](http://www.talosintelligence.com/community) This technique is used to construct a new VBScript function. PE-Sig During our investigation we received 5 different functions. About Immunet RECONNAISSANCE FUNCTIONS Careers Teslacrypt Decryption Tool During our investigation we received a reconnaissance function a few minutes after the initial [compromise. The purpose of the function was to retrieve several pieces of information from theMBR Filter](http://blog.talosintelligence.com/) Blog infected system, presumably in order to check if the target is valuable or not (or a sandbox FIRST system). |51: 3 53: 5|Col2| |---|---| |53: 5 Softwa4re5: -|8* atio a n d 5 d a nct er t| |52: 4 49: 1 Vulnerability Information 56: 8|| |42: * Reputation Center Hence, the decoded data is "-65+14|| |separator. Each mathematical oper Library -65+148 = 83 -> "S"|| |535-419 = 117 -> "u" Support Communities This technique is used to construct|| |During our investigation we receive About|| |RECONNAISSANCE FUNCTIONS Careers During our investigation we receive|| |compromise. The purpose of the fu Blog infected system, presumably in ord|| LockyDump First, the attacker retrieves the disk volume serial number: FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BASS Secondly, the payload retrieves any installed anti-virus software: PyREBox File2pcap Decept Mutiny Fuzzer ----- BACK Thirdly, it obtains the Internet IP address of the infected system by querying ipify.org (the code [Vulnerability Informationincludes a hint that the attacker previously used wt�smyip.com): SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community](http://www.talosintelligence.com/vulnerability_info) [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) [Reputation Center](http://www.talosintelligence.com/reputation) RazorbackIP Blacklist DownloadProject Aspis Library DaemonloggerAWBO ExercisesSpamCop Mo�ow [Support Communities](http://www.talosintelligence.com/community) PE-Sig About Immunet Careers Teslacrypt Decryption Tool Thirdly, it retrieves the computer name, the username, the Operating System and the architecture: MBR Filter Blog FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BASS PyREBox File2pcap |Software|re vio me| |---|---| |Thirdly, it obtains the Internet IP add includes a hint that the attacker pre Vulnerability Information|| |Reputation Center|| |Library|| |Support Communities|| |About|| |Careers|| |Thirdly, it retrieves the computer na Blog|| FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BASS PyREBox [All these data are sent to the previously mentioned CC using the /is-return URI. The data are](http://www.talosintelligence.com/decept) Decept stored in the User-Agent separated by "-|-". Mutiny Fuzzer Subsequently, we received a second reconnaissance function: [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) [Reputation Center](http://www.talosintelligence.com/reputation) RazorbackIP Blacklist DownloadProject Aspis DaemonloggerAWBO ExercisesSpamCop Mo�ow [Support Communities](http://www.talosintelligence.com/community) PE-Sig ----- Software BACK SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community [The function acts to list the drives of the infected system and their type (internal drive, usb driverClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) [Reputation Center](http://www.talosintelligence.com/reputation) etc.) RazorbackIP Blacklist DownloadProject Aspis [LibraryPERSISTENCE FUNCTIONS](http://www.talosintelligence.com/resources) DaemonloggerAWBO ExercisesSpamCop [In addition to the reconnaissance functions we received 2 functions linked to the persistence ofMo�ow](http://www.talosintelligence.com/community) the WSF script. The �rst script is used to persist, the second is used to clean the infected system. PE-Sig [Our machine was served this after taking too much time to send a request to the C2 Presumably](http://www.talosintelligence.com/pesig) About the attacker determined we were examining their systems and decided to remove the malware to Immunet prevent further analysis: Careers Teslacrypt Decryption Tool MBR Filter Blog FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner [Cisco Smart Install Scanner](https://3.bp.blogspot.com/-_hwBYcjCzEg/WnmAtLolilI/AAAAAAAAATA/azNf4NC0w20t2lYaRasJr-RiTOKUUFAlQCLcBGAs/s1600/image2.png) ROPMEMU BASS PyREBox File2pcap Decept Mutiny Fuzzer PIVOT FUNCTION Fi ll i d i t f ti Th f ti i th l 0 f ti bt i d d i |Software|f t nc ed aki am| |---|---| |Vulnerability Information|| |The function acts to list the drives o Reputation Center etc.)|| |LPibErRarSyISTENCE FUNCTIONS|| |In addition to the reconnaissance fu Support Communities the WSF script. The ¡rst script is us|| |Our machine was served this after t About the attacker determined we were ex|| |prevent further analysis: Careers|| |Blog|| MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner [Cisco Smart Install Scanner](https://3.bp.blogspot.com/-_hwBYcjCzEg/WnmAtLolilI/AAAAAAAAATA/azNf4NC0w20t2lYaRasJr-RiTOKUUFAlQCLcBGAs/s1600/image2.png) ROPMEMU BASS PyREBox File2pcap Decept Mutiny Fuzzer ----- BACK BACK SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) RazorbackIP Blacklist DownloadProject Aspis [Reputation Center](http://www.talosintelligence.com/reputation) RazorbackIP Blacklist DownloadProject Aspis Library DaemonloggerAWBO ExercisesSpamCop The purpose is to execute a powershell script: Mo�ow PE-Sig Immunet Careers Teslacrypt Decryption Tool MBR Filter [BlogThe PowerShell script executes a second base64 encoded script. The attacker forces the the](http://blog.talosintelligence.com/) [system to use the 32 bit version of Powershell even if the operating system architecture is 64](http://www.talosintelligence.com/first) FIRST bits. LockyDump Finally we obtain the last PowerShell script: FreeSentry Flokibot Tools [Synful Knock Scanner](https://3.bp.blogspot.com/-6xSv1aQ44f4/WnmBSTC3G5I/AAAAAAAAATc/W59CWiFqPz8_CgXVVv98TD9fyXweivjBQCLcBGAs/s1600/image7.png) Cisco Smart Install Scanner ROPMEMU The purpose of this script is to download shellcode from 176[.]107[.]185[.]246 IP, to map it in BASS [memory and to execute it. The attacker takes many precautions before delivering the shellcode,](http://www.talosintelligence.com/bass) |Software|he eco Po| |---|---| |VHuelnreer iasb tilhitey aInrgfourmmeantito: n|| |Reputation Center|| |Library The purpose is to execute a powers|| |Support Communities|| |About|| |Careers|| |BTlohge PowerShell script executes a s system to use the 32 bit version of|| Flokibot Tools [Synful Knock Scanner](https://3.bp.blogspot.com/-6xSv1aQ44f4/WnmBSTC3G5I/AAAAAAAAATc/W59CWiFqPz8_CgXVVv98TD9fyXweivjBQCLcBGAs/s1600/image7.png) Cisco Smart Install Scanner these will be explained in the next chapter. Unfortunately during our investigation we weren't PyREBox served the anticipated shellcode. File2pcap ### Attackers OPSEC Decept Mutiny Fuzzer [The attacker behind this campaign put a lot of effort into protecting its infrastructure and to avoid](http://www.talosintelligence.com/mutiny_fuzzer) leaking code to analysts. The �rst Command & Control server is protected by CloudFlare. This choice complicates the analysis and tracking of the campaign. Additionally, the attacker �lters on the User-Agent; if your web requests do not �t a speci�c pattern, your request will be ignored. During our analysis the attacker was only active during the morning (Central European ----- �rewall for a few minutes to allow this unique IP to download the shellcode. Afterwards, the server becomes unreachable. Here is a schema of this work�ow: Software BACK [Vulnerability Information](http://www.talosintelligence.com/vulnerability_info) SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) [Reputation Center](http://www.talosintelligence.com/reputation) RazorbackIP Blacklist DownloadProject Aspis Library DaemonloggerAWBO ExercisesSpamCop Mo�ow [Support Communities](http://www.talosintelligence.com/community) PE-Sig About Immunet Careers Teslacrypt Decryption Tool MBR Filter Blog FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Additionally, we saw that the attackers blacklisted some of our speci�c User-Agent strings and IP Cisco Smart Install Scanner addresses used during our investigation |Software|Col2| |---|---| |Vulnerability Information|| |Reputation Center|| |Library|| |Support Communities|| |About|| |Careers|| |Blog|| Software BACK [Vulnerability Information](http://www.talosintelligence.com/vulnerability_info) SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) [Reputation Center](http://www.talosintelligence.com/reputation) RazorbackIP Blacklist DownloadProject Aspis Library DaemonloggerAWBO ExercisesSpamCop Mo�ow [Support Communities](http://www.talosintelligence.com/community) PE-Sig Immunet Careers Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools ROPMEMU This high level of OPSEC is exceptional even among presumed state sponsored threat actors... BASS ### Links with Jenxcus (a.k.a. Houdini/H-Worm)?PyREBox File2pcap If you are familiar with Jenxcus (a.k.a. Houdini/H-Worm) you should see some similarities [between the VBScript used during this campaign and this well-known malware: usage of the](http://www.talosintelligence.com/decept) Decept user-agent to ex�ltrate data, reconnaissance techniques etc… Mutiny Fuzzer We cannot tell if the attacker used a new version of Jenxcus or if this malware served as the inspiration for their own malicious code. The source code of Jenxcus can be easily found on the Internet. However, the adaptation used in this campaign is more advanced: the features/functions are loaded on demand and the initial script does not include all the malicious ----- [documents. During 2017, we identi�ed several campaigns using the same decoy documents:](http://www.talosintelligence.com/first) FIRST LockyDump |Additional Targets|Col2|Col3| |---|---|---| |We can identify different targets ba Software These are a few examples:||sed on the User-Agent used by the attacker to identify victims. BBBBAAAACCCCKKKK| |Vulnerability Information||| ||ulnerability Information|SVESmnnuoolnarreittl rC&aob Wmilietmyb RuTneraipt£yorct sReputation CMACMlliaacmmPro AATsVVho rfCet aoAtmd Nvmiasmuonriinietgys Conventions 56115716122461214187935862381799187598" RIPPra oBzjoelarccbtk aAlcissktp iDsownload DASWpaaeBmmOCo Enoxlpoegrcgiesres 23451288122413771234715862388136654339" Mo¢ow PE-Sig 12344661899112271619123139116684543113" Immunet| |R|c = "U.15.7" a = "7381422017562407104715 eputation Center|| |L|ibracr y= "1X.134" a = "1304272017061511112091|| |S|upport Communities c = "Fb-20.9"|| |a = "5850102017502011100211 About|a = "5850102017502011100211 bout|| |||NGT eDslaAcRryp Et DLe-cJryApLtioEnE ToLo lDECOY DOCUMENTS MBR Filter nvestigated targeted campaigns using Dar El-Jaleel decoy ed several campaigns using the same decoy documents:| |Careers OTHER CAMPAIGNS USI||| |This is not the ¡rst time Talos has i Blog documents. During 2017, we identi¡||| LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BASS PyREBox File2pcap Decept Mutiny Fuzzer ----- BACK [This document is a weekly report about the major events occuring during the 1st week of](http://www.talosintelligence.com/vulnerability_info) [Vulnerability Information](http://www.talosintelligence.com/vulnerability_info) SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community November 2017, talking about the most important events happening in Jordan, Iraq, Syria, [Lebanon, Palestine, Israel, Russia, ISIS and the ongoing Gulf Countries con�ict with Qatar. ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) [Reputation Center](http://www.talosintelligence.com/reputation) RazorbackIP Blacklist DownloadProject Aspis [We encountered this document in campaigns using .NET malware (with the CC: foxlive[.]life) and](http://www.talosintelligence.com/razorback) [C++ malware (with the CC: download[.]share2�le[.]pro). The purpose of the malwares was to](http://www.talosintelligence.com/resources) Library DaemonloggerAWBO ExercisesSpamCop retrieve information relating to the targeted systems and to download an additional payload. [Moreover, we identi�ed another campaign using a share2�le[.]pro subdomain. Here is the decoy](http://www.talosintelligence.com/moflow) Mo�ow PE-Sig About Immunet Careers Teslacrypt Decryption Tool MBR Filter Blog FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BASS PyREBox File2pcap Decept Mutiny Fuzzer Thi d i i li f ili l d d J 2017 i i f |Software|bou o IS am d[. arg p| |---|---| |This document is a weekly report a Vulnerability Information November 2017, talking about the m|| |Lebanon, Palestine, Israel, Russia, IS Reputation Center|| |We encountered this document in c C++ malware (with the CC: downloa Library retrieve information relating to the t|| |Moreover, we identi¡ed another cam Support Communities document in this campaign:|| |About|| |Careers|| |Blog|| Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BASS PyREBox File2pcap Decept Mutiny Fuzzer ----- [We don't know if these campaigns are performed by the same actor or different groups interested](http://www.talosintelligence.com/) in this region. These campaigns are still under investigation. BACK [Vulnerability InformationThese campaigns show us that at least one threat actor is interested in and targeting the MiddleSnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community](http://www.talosintelligence.com/vulnerability_info) East. Due to the nature of the decoy documents, we can conclude that the intended targets have [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) [an interest in the geopolitical context of the region. The attackers used an analysis report alleged](http://www.talosintelligence.com/reputation) [Reputation Center](http://www.talosintelligence.com/reputation) [to be written by Dar El-Jaleel, a Jordanian institute specialising in studies of the region. Some of](http://www.talosintelligence.com/razorback) RazorbackIP Blacklist DownloadProject Aspis these documents are tagged as con�dential. Library DaemonloggerAWBO ExercisesSpamCop During the VBS Campaign, we were surprised by the level of OPSEC demonstrated by the attacker [Support Communitiesand their infrastructure. Legitimate service such as CloudFlare were used to hide maliciousMo�ow](http://www.talosintelligence.com/community) activities. Additionally the attacker used user-agent �ltering and �rewall rules in order to grant PE-Sig access to speci�c infected systems for only a few minutes in order to deliver shellcode. Following About [this, the server became unreachable. Another notable observation is the fact that the attacker](http://www.talosintelligence.com/immunet) Immunet was active only during the morning (Central European timezone) during our investigation. Careers Teslacrypt Decryption Tool The usage of script languages is an interesting approach from the attackers' point of view. These MBR Filter [languages are natively available on Windows system, provide a high degree of �exibility, and can](http://blog.talosintelligence.com/) Blog easily stay under the radar. FIRST |Software CONCLUSION|eas do xt o an ¡d su ser se fo e. A (C in Wi| |---|---| |VTuhlneesrea bcialimty pInafiogrnms asthioonw us that at l East. Due to the nature of the decoy|| |an interest in the geopolitical conte Reputation Center to be written by Dar El-Jaleel, a Jord|| |these documents are tagged as con Library|| |During the VBS Campaign, we were and their infrastructure. Legitimate Support Communities activities. Additionally the attacker u|| |access to speci¡c infected systems About this, the server became unreachabl|| |was active only during the morning Careers|| |The usage of script languages is an languages are natively available on Blog easily stay under the radar.|| ### COVERAGE LockyDump [Additional ways our customers can detect and block this threat are listed below. FreeSentry](http://www.talosintelligence.com/freesentry) Flokibot Tools [Advanced Malware Protection (AMP) is ideally](http://www.talosintelligence.com/flokibot) suited to prevent the execution of the malware Synful Knock Scanner used by these threat actors. Cisco Smart Install Scanner [CWS or WSA web scanning prevents access to](https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html) ROPMEMU [malicious websites and detects malware used](http://www.talosintelligence.com/ropmemu) in these attacks. BASS [Email Security can block malicious emails sent](https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html) PyREBox by threat actors as part of their campaign. File2pcap Network Security appliances such as [NGFW,](https://www.cisco.com/c/en/us/products/security/firewalls/index.html) Decept [NGIPS, and Meraki MX can detect malicious](http://www.talosintelligence.com/decept) activity associated with this threat. Mutiny Fuzzer [AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security](https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html) products. [Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains,](https://umbrella.cisco.com/) ROPMEMU BASS PyREBox File2pcap ----- [Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest](http://www.talosintelligence.com/) [rule pack available for purchase on Snort.org.](https://www.snort.org/products) BACK [VBS Campaign:](http://www.talosintelligence.com/vulnerability_info) [Vulnerability Information](http://www.talosintelligence.com/vulnerability_info) SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community Initial script: 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b Domain #1: o�ce-update[.]services [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) RazorbackIP Blacklist DownloadProject Aspis [.NET Campaign:](http://www.talosintelligence.com/resources) Library DaemonloggerAWBO ExercisesSpamCop Initial dropper: 4b03bea6817f0d5060a1beb8f6ec2297dc4358199d4d203ba18ddfcca9520b48 [.NET #1: d49e9fdfdce1e93615c406ae13ac5f6f68fb7e321ed4f275f328ac8146dd0fc1](http://www.talosintelligence.com/moflow) Mo�ow [Support Communities](http://www.talosintelligence.com/community) .NET #2: e66af059f37bdd35056d1bb6a1ba3695fc5ce333dc96b5a7d7cc9167e32571c5 Domain #1: jo[.]foxlove[.]life PE-Sig [AboutDomain #2: eg[.]foxlove[.]life](http://www.talosintelligence.com/about) Immunet Domain #3: fox[.]foxlove[.]life Careers Teslacrypt Decryption Tool Campaign #3: [Initial Dropper: af7a4f04435f9b6ba3d8905e4e67cfa19ec5c3c32e9d35937ec0546cce2dd1ff](http://www.talosintelligence.com/mbrfilter) MBR Filter [BlogPayload: 76a9b603f1f901020f65358f1cbf94c1a427d9019f004a99aa8bff1dea01a881](http://blog.talosintelligence.com/) Domain: download[.]share2�le[.]pro Campaign #4: FIRST LockyDump |SIoOftCwaSre|58 0a ae b6 3d8 8f1| |---|---| |VBS Campaign: Vulnerability Information Initial script: 15f5aaa71bfa3d62fd5|| |Domain #1: o£ce-update[.]services RIPep #u2ta: t1io7n6 [C.]1en0t7e[r.]185[.]246|| |.NET Campaign: Library Initial dropper: 4b03bea6817f0d506|| |.NET #1: d49e9fdfdce1e93615c406 Support Communities .NET #2: e66af059f37bdd35056d1b|| |Domain #1: jo[.]foxlove[.]life ADboomutain #2: eg[.]foxlove[.]life Domain #3: fox[.]foxlove[.]life|| |Careers Campaign #3:|| |Initial Dropper: af7a4f04435f9b6ba BPloagyload: 76a9b603f1f901020f6535|| Initial Dropper: 88e4f306f126ce4f2cd7941cb5d8fcd41bf7d6a54cf01b4a6a4057ed4810d2b6 FreeSentry Payload #1: c5bfb5118a999d21e9f445ad6ccb08eb71bc7bd4de9e88a41be9cf732156c525 [Payload #2: 1176642841762b3bc1f401a5987dc55ae4b007367e98740188468642ffbd474e Flokibot Tools](http://www.talosintelligence.com/flokibot) Domain: update[.]share2�le[.]pro Synful Knock Scanner P O S T E D B Y [PA U L R A S C A G N E R E S](https://www.blogger.com/profile/10073079939160046441) AT [1 2 : 4 8 A MCisco Smart Install Scanner](http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html) L A B E L S : [A P T,](http://blog.talosintelligence.com/search/label/APT) [M A LWA R E,](http://blog.talosintelligence.com/search/label/Malware) [M A LWA R E A N A LY S I S,](http://blog.talosintelligence.com/search/label/Malware%20Analysis) [M I D D L E E A S T,](http://blog.talosintelligence.com/search/label/Middle%20East) [O P S E C,](http://blog.talosintelligence.com/search/label/opsec) [V B S C R I P T](http://blog.talosintelligence.com/search/label/VBScript) ROPMEMU S H A R E T H I S P O S T BASS PyREBox NO COMMENTS: POST A COMMENT File2pcap Decept Mutiny Fuzzer Enter your comment... ----- **Comment as:** Select profile... |So|ftwaPPruuebblliisshh PPrreevviieeww|Col3| |---|---|---| |Vulnerability Information||| |Reputation Center||| |||CMACMlliaacmmPro AATsVVho rfCet aoAtmd Nvmiasmuonriinietgys Conventions RIPPra oBzjoelarccbtk aAlcissktp iDsownload H O M E O L D E R P O S T (ATDAS OWpa aMeBmm)OCo Enoxlpoegrcgiesres Mo¢ow PE-Sig| |Library S U B S C R I B E T O : P O S T C O M M E N T S||| |SuSpeaprocrht BCloogmmunities||| |About SUBSCRIBE TO OUR FEED||| |||Immunet Teslacrypt Decryption Tool MBR Filter| |Careers Posts||| |Blog Comments||| **BLOG ARCHIVE** [▼ 2 0 1 8](javascript:void(0)) (21) [▼ F E B R U A R Y](javascript:void(0)) (3) [Targeted Attacks In The Middle East](http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html) FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner [Beers with Talos EP 22: Forget the ASA, Rob Joyce ...Cisco Smart Install Scanner](http://blog.talosintelligence.com/2018/02/beers-with-talos-ep-22-forget-asa-rob.html) [Flash 0-Day In The Wild: Group 123 At The Controls...](http://blog.talosintelligence.com/2018/02/group-123-goes-wild.html) ROPMEMU [► J A N U A R Y](javascript:void(0)) (18) [► 2 0 1 7](javascript:void(0)) (172) [► 2 0 1 6](javascript:void(0)) (98) [► 2 0 1 5](javascript:void(0)) (62) [► 2 0 1 4](javascript:void(0)) (67) [► 2 0 1 3](javascript:void(0)) (30) [► 2 0 1 2](javascript:void(0)) (53) [► 2 0 1 1](javascript:void(0)) (23) [► 2 0 1 0](javascript:void(0)) (93) [► 2 0 0 9](javascript:void(0)) (146) [► 2 0 0 8](javascript:void(0)) (37) BASS PyREBox File2pcap Decept Mutiny Fuzzer ----- [It’s Not a Network Problem, and I Can Prove It](http://www.talosintelligence.com/) FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BASS PyREBox File2pcap Decept Mutiny Fuzzer |C L A M AV ® B L O G|Col2| |---|---| |ClamAV 0.100.0 beta has been released! Software S N O R T B L O G|BBBBAAAACCCCKKKK 18 SVESmnnuoolnarreittl rC&aob Wmilietmyb RuTneraipt£yorct sReputation| |Snort Subscriber Rule Set Update for 01/16/20 Vulnerability Information|| ||CMACMlliaacmmPro AATsVVho rfCet aoAtmd Nvmiasmuonriinietgys Conventions RIPPra oBzjoelarccbtk aAlcissktp iDsownload DASWpaaeBmmOCo Enoxlpoegrcgiesres Mo¢ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter| |Reputation Center|| |Library|| |Support Communities|| |About|| |Careers|| |Blog|| ----- BACK SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) RazorbackIP Blacklist DownloadProject Aspis DaemonloggerAWBO ExercisesSpamCop Mo�ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BASS PyREBox File2pcap Decept Mutiny Fuzzer |Software|Col2| |---|---| |Vulnerability Information|| |Reputation Center|| |Library|| |Support Communities|| |About|| |Careers|| |Blog|| ----- [Software](http://talosintelligence.com/software) [Reputation Center](http://talosintelligence.com/reputation) [Vulnerability Information](http://talosintelligence.com/vulnerability-reports) Software BACK [Library](http://talosintelligence.com/resources) [Support Communities](http://talosintelligence.com/community) [Vulnerability Information](http://www.talosintelligence.com/vulnerability_info) SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community [Microsoft Advisory Snort Rules](http://talosintelligence.com/ms_advisories) [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://talosintelligence.com/documents/ip-blacklist) [IP Blacklist Download](http://talosintelligence.com/documents/ip-blacklist) [Reputation Center](http://www.talosintelligence.com/reputation) [AWBO Exercises](http://talosintelligence.com/awbo_exercises) RazorbackIP Blacklist DownloadProject Aspis [About Talos](http://talosintelligence.com/about) Library [DaemonloggerAWBO ExercisesSpamCopCareers](http://talosintelligence.com/careers) [Blog](http://blog.talosintelligence.com/) Mo�ow [Support Communities](http://www.talosintelligence.com/community) PE-Sig CONNECT WITH US About Immunet Careers Teslacrypt Decryption Tool MBR Filter Blog FIRST © 2018 Cisco Systems, Inc. and/or its affiliates. All rights reserved. View our [Privacy Policy here.](http://www.cisco.com/web/siteassets/legal/privacy_full.html) LockyDump |Col1|Reputation Center| |---|---| |V Software|ulnerability Information BBBBAAAACCCCKKKK Library Support Communities SVESmnnuoolnarreittl rC&aob Wmilietmyb RuTneraipt£yorct sReputation rosoft Advisory Snort Rules CMACMlliaacmmPro AATsVVho rfCet aoAtmd Nvmiasmuonriinietgys Conventions IP Blacklist Download AWBO Exercises RIPPra oBzjoelarccbtk aAlcissktp iDsownload About Talos DASWpaaeBmmCOCoa Enroexlpoeegrrcsgiesres Blog Mo¢ow PE-Sig CONNECT WITH US Immunet Teslacrypt Decryption Tool| |Vulnerability Information Mic|| |Reputation Center|| |Library|| |Support Communities|| |About|| |Careers|| ||MBR Filter| |Blog|| FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BASS PyREBox File2pcap Decept Mutiny Fuzzer -----