{ "id": "fa004314-e8b3-446a-b6e6-e8ee01ef37cd", "created_at": "2026-04-06T02:12:15.460848Z", "updated_at": "2026-04-10T03:33:07.475411Z", "deleted_at": null, "sha1_hash": "a9d67f42b300a90d3406713b4ffc31fcfd4787c5", "title": "Targeted Attacks against Banks in the Middle East", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1053772, "plain_text": "Targeted Attacks against Banks in the Middle East\r\nBy by Sudeep Singh, Yin Hong Chang | Targeted Attack\r\nPublished: 2016-05-22 · Archived: 2026-04-06 02:05:40 UTC\r\nUPDATE (Dec. 8, 2017): We now attribute this campaign to APT34, a suspected Iranian cyber espionage threat\r\ngroup that we believe has been active since at least 2014. Learn more about APT34 and their late 2017 targeting\r\nof a government organization in the Middle East.\r\nIntroduction\r\nIn the first week of May 2016, FireEye’s DTI identified a wave of emails containing malicious attachments being\r\nsent to multiple banks in the Middle East region. The threat actors appear to be performing initial reconnaissance\r\nagainst would-be targets, and the attacks caught our attention since they were using unique scripts not commonly\r\nseen in crimeware campaigns.\r\nIn this blog we discuss in detail the tools, tactics, techniques and procedures (TTPs) used in these targeted attacks.\r\nDelivery Method\r\nThe attackers sent multiple emails containing macro-enabled XLS files to employees working in the banking\r\nsector in the Middle East. The themes of the messages used in the attacks are related to IT Infrastructure such as a\r\nlog of Server Status Report or a list of Cisco Iron Port Appliance details. In one case, the content of the email\r\nappeared to be a legitimate email conversation between several employees, even containing contact details of\r\nemployees from several banks. This email was then forwarded to several people, with the malicious Excel file\r\nattached.\r\nMacro Details\r\nThe macro first calls an Init() function (shown in Figure 1) that performs the following malicious activities:\r\n1. Extracts base64-encoded content from the cells within a worksheet titled \"Incompatible\".\r\n2. Checks for the presence of a file at the path %PUBLIC%\\Libraries\\ update.vbs. If the file is not present, the\r\nmacro creates three different directories under %PUBLIC%\\Libraries, namely up, dn, and tp.\r\n3. The extracted content from step one is decoded using PowerShell and dropped into two different files:\r\n%PUBLIC%\\Libraries\\update.vbs and %PUBLIC%\\Libraries\\dns.ps1\r\n4. The macro then creates a scheduled task with name: GoogleUpdateTaskMachineUI, which executes\r\nupdate.vbs every three minutes.\r\nNote: Due to the use of a hardcoded environment variable %PUBLIC% in the macro code, the macro will only\r\nrun successfully on Windows Vista and subsequent versions of the operating system.\r\nhttps://web.archive.org/web/20200618235708/https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html\r\nPage 1 of 7\n\nFigure 1: Macro Init() subroutine\r\nRun-time Unhiding of Content\r\nOne of the interesting techniques we observed in this attack was the display of additional content after the macro\r\nexecuted successfully. This was done for the purpose of social engineering – specifically, to convince the victim\r\nthat enabling the macro did in fact result in the “unhiding” of additional spreadsheet data.\r\nOffice documents containing malicious macros are commonly used in crimeware campaigns. Because default\r\nOffice settings typically require user action in order for macros to run, attackers may convince victims to enable\r\nrisky macro code by telling them that the macro is required to view “protected content.”\r\nIn crimeware campaigns, we usually observe that no additional content is displayed after enabling the macros.\r\nHowever, in this case, attackers took the extra step to actually hide and unhide worksheets when the macro is\r\nenabled to allay any suspicion. A screenshot of the worksheet before and after running the macro is shown in\r\nFigure 2 and Figure 3, respectively.\r\nFigure 2: Before unhiding of content\r\nhttps://web.archive.org/web/20200618235708/https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html\r\nPage 2 of 7\n\nFigure 3: After unhiding of content\r\nIn the following code section, we can see that the subroutine ShowHideSheets() is called after the Init() subroutine\r\nexecutes completely:\r\nPrivate Sub Workbook_Open()\r\n    Call Init\r\n        Call ShowHideSheets\r\nEnd Sub\r\nThe code of subroutine ShowHideSheets(), which unhides the content after completion of malicious activities, is\r\nshown in Figure 4.\r\nFigure 4: Macro used to unhide content at runtime\r\nFirst Stage Download\r\nAfter the macro successfully creates the scheduled task, the dropped VBScript, update.vbs (Figure 5), will be\r\nlaunched every three minutes. This VBScript performs the following operations:\r\nhttps://web.archive.org/web/20200618235708/https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html\r\nPage 3 of 7\n\n1. Leverages PowerShell to download content from the URI hxxp://go0gIe[.]com/sysupdate.aspx?\r\nreq=xxx\\dwn\u0026m=d and saves it in the directory %PUBLIC%\\Libraries\\dn.\r\n2. Uses PowerShell to download a BAT file from the URI hxxp://go0gIe[.]com/sysupdate.aspx?\r\nreq=xxx\\bat\u0026m=d and saves it in the directory %PUBLIC%\\Libraries\\dn.\r\n3. Executes the BAT file and stores the results in a file in the path %PUBLIC%\\Libraries\\up.\r\n4. Uploads this file to the server by sending an HTTP POST request to the URI\r\nhxxp://go0gIe[.]com/sysupdate.aspx?req=xxx\\upl\u0026m=u.\r\n5. Finally, it executes the PowerShell script dns.ps1, which is used for the purpose of data exfiltration using\r\nDNS.\r\nFigure 5: Content of update.vbs\r\nDuring our analysis, the VBScript downloaded a customized version of Mimikatz in the previously mentioned\r\nstep one. The customized version uses its own default prompt string as well as its own console title, as shown in\r\nFigure 6.\r\nFigure 6: Custom version of Mimikatz used to extract user password hashes\r\nSimilarly, the contents of the BAT file downloaded in step two are shown in Figure 7:\r\nhttps://web.archive.org/web/20200618235708/https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html\r\nPage 4 of 7\n\nwhoami \u0026 hostname \u0026 ipconfig /all \u0026 net user /domain 2\u003e\u00261 \u0026 net group /domain 2\u003e\u00261 \u0026 net group \"domain\r\nadmins\" /domain 2\u003e\u00261 \u0026 net group \"Exchange Trusted Subsystem\" /domain 2\u003e\u00261 \u0026 net accounts /domain 2\u003e\u00261\r\n\u0026 net user 2\u003e\u00261 \u0026 net localgroup administrators 2\u003e\u00261 \u0026 netstat -an 2\u003e\u00261 \u0026 tasklist 2\u003e\u00261 \u0026 sc query 2\u003e\u00261 \u0026\r\nsysteminfo 2\u003e\u00261 \u0026 reg query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\"\r\n2\u003e\u00261\r\nFigure 7: Content of downloaded BAT script\r\nThis BAT file is used to collect important information from the system, including the currently logged on user, the\r\nhostname, network configuration data, user and group accounts, local and domain administrator accounts, running\r\nprocesses, and other data.\r\nData Exfiltration over DNS\r\nAnother interesting technique leveraged by this malware was the use of DNS queries as a data exfiltration\r\nchannel. This was likely done because DNS is required for normal network operations. The DNS protocol is\r\nunlikely to be blocked (allowing free communications out of the network) and its use is unlikely to raise suspicion\r\namong network defenders.\r\nThe script dns.ps1, dropped by the macro, is used for this purpose. In the following section, we describe its\r\nfunctionality in detail.\r\n1. The script requests an ID (through the DNS protocol) from go0gIe[.]com. This ID will then be saved into\r\nthe PowerShell script.\r\n2. Next, the script queries the C2 server for additional instructions. If no further actions are requested, the\r\nscript exits and will be activated again the next time update.vbs is called.\r\n3. If an action is required, the DNS server replies with an IP with the pattern 33.33.xx.yy. The script then\r\nproceeds to create a file at %PUBLIC%\\Libraries\\tp\\chr(xx)chr(yy).bat. The script then proceeds to make\r\nDNS requests to fetch more data. Each DNS request results in the C2 server returning an IP address. Each\r\noctet of the IP address is interpreted as the decimal representation of an ASCII character; for example, the\r\ndecimal number 99 is equivalent to the ASCII character ‘c’. The characters represented by the octets of the\r\nIP address are appended to the batch file to construct a script. The C2 server signals the end of the data\r\nstream by replying to a DNS query with the IP address 35.35.35.35.\r\n4. Once the file has been successfully transferred, the BAT file will be run and its output saved as\r\n%PUBLIC%\\Libraries\\tp\\chr(xx)chr(yy).txt.\r\n5. The text file containing the results of the BAT script will then be uploaded to the DNS server by\r\nembedding file data into part of the subdomain. The format of the DNS query used is shown in Table 1.\r\n6. The BAT file and the text file will then be deleted. The script then quits, to be invoked again upon running\r\nthe next scheduled task.\r\nThe DNS communication portion of the script is shown in Figure 8, along with a table showing the various\r\nsubdomain formats being generated by the script.\r\nhttps://web.archive.org/web/20200618235708/https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html\r\nPage 5 of 7\n\nFigure 8: Code Snippet of dns.ps1\r\nFormat of subdomains used in DNS C2 protocol:\r\nSubdomain used to request for BotID,\r\nused in step 2 above\r\n[00][botid]00000[base36 random number]30\r\nSubdomain used while performing\r\nfile transfers used in step 3 above\r\n[00][botid]00000[base36 random number]232A[hex_filename][i-counter]\r\nSubdomain used while performing\r\nfile upload, used in step 5 above\r\n[00][botid][cmdid][partid][base36 random number][48-hex-char-of-file-content]\r\nTable 1: C2 Protocol Format\r\nConclusion\r\nAlthough this attack did not leverage any zero-days or other advanced techniques, it was interesting to see how\r\nattackers used different components to perform reconnaissance activities on a specific target.\r\nhttps://web.archive.org/web/20200618235708/https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html\r\nPage 6 of 7\n\nThis attack also demonstrates that macro malware is effective even today. Users can protect themselves from such\r\nattacks by disabling Office macros in their settings and also by being more vigilant when enabling macros\r\n(especially when prompted) in documents, even if such documents are from seemingly trusted sources.\r\nSource: https://web.archive.org/web/20200618235708/https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html\r\nhttps://web.archive.org/web/20200618235708/https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://web.archive.org/web/20200618235708/https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html" ], "report_names": [ "targeted_attacksaga.html" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775441535, "ts_updated_at": 1775791987, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a9d67f42b300a90d3406713b4ffc31fcfd4787c5.pdf", "text": "https://archive.orkl.eu/a9d67f42b300a90d3406713b4ffc31fcfd4787c5.txt", "img": "https://archive.orkl.eu/a9d67f42b300a90d3406713b4ffc31fcfd4787c5.jpg" } }