{
	"id": "77c37736-72b2-4fc4-afc0-d3145c381347",
	"created_at": "2026-04-06T00:11:01.028193Z",
	"updated_at": "2026-04-10T03:21:17.936302Z",
	"deleted_at": null,
	"sha1_hash": "838ed018302335611ceaed658d35e631c467048b",
	"title": "New targeted attack against Saudi Arabia Government | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 676506,
	"plain_text": "New targeted attack against Saudi Arabia Government |\r\nMalwarebytes Labs\r\nBy Malwarebytes Labs\r\nPublished: 2017-03-22 · Archived: 2026-04-05 18:21:51 UTC\r\nA new spear phishing campaign is targeting Saudi Arabia governmental organizations. The attack originates from\r\na phishing email containing a Word document in Arabic language. If the victim opens it up, it will not only infect\r\ntheir system but send the same phishing document to other contacts via their Outlook inbox.\r\nWe know that at least about a dozen Saudi agencies were targeted. This email-borne attack leverages social\r\nengineering to trick users into executing code via a Macro. The malicious Word documents used by the threat\r\nactors show that they spent time to make them look legitimate and added references and names from high ranking\r\nofficials, probably so the lure would seem more credible.\r\nThe actual payload from this attack is an information stealer which we detect as Trojan.Neuron. It has instructions\r\nto collect files of interest from the victims’ machines and securely exfiltrate the data to a remote server.\r\nAttack summary:\r\nThe victim opens a Word document and enables the macro, triggering the decoding of an embedded\r\nBase64 encoded cert (Signature.crt).\r\nThe decoded blurb is executed as Sign.exe (a file written in .NET v4) and it’s a dropper for the ‘Neuron\r\nClient’.\r\nThe neuro-client.exe file is executed from the %ProgramData% folder and generates a Keepalive packet\r\nwith one of two HTTPS servers (mail.spa.gov.sa, webmail.ecra).\r\nThe key used to encrypt communications and files is the Machine Guid.\r\nThe Keepalive packet is RC4 encrypted with this machine key and the machine key itself is transmitted\r\nusing RSA 1024 to securely send and store it.\r\nAll transmissions between the server and the client are RC4 encrypted. The client can download additional\r\nfiles/plugins from the C2 server and execute them.\r\nhttps://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/\r\nPage 1 of 10\n\nUpdate (03/27/2107):\r\nWe have received a new malicious Word document dropping the same payload (see bottom of post for IOCs).\r\nMalwarebytes users remained protected without the need for any signatures.\r\nhttps://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/\r\nPage 2 of 10\n\nTechnical analysis\r\nWord Document overview:\r\nMacro might run executable Contains obfuscated macro code Loads DLL into its own memory Runs dropped\r\nA quick analysis with oletools (olevba) shows us the sections within the macro from the well-crafted Word\r\ndocument:\r\nhttps://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/\r\nPage 3 of 10\n\nThe payload is embedded in the macro as Base64 code. It uses the certutil program to decode the Base64 into a\r\nPE file which is then executed:\r\nhttps://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/\r\nPage 4 of 10\n\nDropped Binary overview:\r\nSearches inside certificate store database Loads DLL into its own memory Gathers system main data (Ma\r\nLet’s take a look at the dropped binary itself. It is coded in .NET and not obfuscated. Here’s the encrypted\r\npayload:\r\nhttps://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/\r\nPage 5 of 10\n\nDecrypting it we can see the main payload (neuro-client.exe renamed to Firefox-x86-ui.exe here) and two helper\r\nDLLs: \r\nIt sets persistence for auto-relaunch via the Task Scheduler:\r\nhttps://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/\r\nPage 6 of 10\n\nThe purpose of this piece of malware appears to be stealing information and uploading it to a remote server:\r\nSummary\r\nhttps://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/\r\nPage 7 of 10\n\nWhile the malware itself appears to not be overly sophisticated, this particular campaign was very\r\nwell targeted at various offices of the Saudi Arabia Government. Sometimes the best way to breach\r\nan organization’s security is to use a very common entry point abusing the human via social\r\nengineering, rather than some fancy zero-day. It’s a lot cheaper and can also make attribution to a\r\nparticular state actor more difficult because macros, for instance, are used by a wide variety of\r\ncriminals.\r\nThere have been renewed attacks in recent months against Saudi Arabia, and in particular against high value\r\ntargets. This specific sample did not appear to share properties with the destructive Shamoon malware, but the\r\nperpetrators in this case could very well have wiped the machines once the data was collected. Indeed\r\npushing ransomware or damaging systems can be used to make forensics analysis harder and hide valuable clues.\r\nProtection\r\nAccording to reports from sources, Malwarebytes Anti-Exploit blocked the targeted attack proactively without the\r\nuse of signature updates thanks to its Application Behavior protection layer for all consumer and corporate users\r\nof Malwarebytes. Malwarebytes Anti-Malware also detects and remediates the threat completely.\r\nhttps://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/\r\nPage 8 of 10\n\nIOCs:\r\nWord dropper:\r\nMD5: 3cd5fa46507657f723719b7809d2d1f9 0e430b6b203099f9c305681e1dcff375 SHA256: a6dbc36c472b3ba70a98\r\nBinary payload:\r\nMD5: 4ed42233962a89deaa89fd7b989db081 SHA256: a96c57c35df18ac20d83b08a88e502071bd0033add0914b951adbd1\r\nPayload names:\r\nC:ProgramData**-x86-ui.exe with * being one of these:\r\nfirefox|chrome|opera|abby|mozilla|google|hewlet|epson|xerox|ricoh|adobe|corel|java|nvidia|realtek|ora\r\nNetwork communications:\r\nmail.spa.gov.sa/ews/exchange/exchange.asmx webmail.ecra.gov.sa/ews/exchange/exchange.asmx\r\n62.149.118.67 85.194.112.9 93.184.220.29\r\nhttps://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/\r\nPage 9 of 10\n\nSource: https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/\r\nhttps://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/"
	],
	"report_names": [
		"new-targeted-attack-saudi-arabia-government"
	],
	"threat_actors": [],
	"ts_created_at": 1775434261,
	"ts_updated_at": 1775791277,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/838ed018302335611ceaed658d35e631c467048b.pdf",
		"text": "https://archive.orkl.eu/838ed018302335611ceaed658d35e631c467048b.txt",
		"img": "https://archive.orkl.eu/838ed018302335611ceaed658d35e631c467048b.jpg"
	}
}