**secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations** **Threats & Defenses** _Customized phishing lures distribute PupyRAT malware. Wednesday, February 15, 2017 By: Counter Threat Unit Research Team_ SecureWorks® Counter Threat Unit™ (CTU) researchers analyzed a phishing campaign that targeted a Middle Eastern organization in early January 2017. Some of messages were sent from legitimate email addresses belonging to several Middle Eastern organizations. ### Campaign details The threat actor used shortened URLs in the body of the phishing emails that redirected to several spoofed domains (See Table 1). **Spoofed domain** **Legitimate domain** **Associated organization** ntg-sa . com ntg . com . sa National Technology Group, a Saudi Arabian telecommunications company itworx . com-ho . me itworx . com ITWorx, an Egyptian information technology services firm mci . com-ho . me mci . gov . sa Saudi Ministry of Commerce moh . com-ho . me moh . gov . sa Saudi Ministry of Health mol . com-ho . me mol . gov . sa Saudi Ministry of Labor _Table 1. Spoofed domains hosted on 45 . 32 . 186 . 33. (Source: SecureWorks)_ Recipients who clicked the URL were presented a Microsoft Office document related to the phishing theme (see Figures 1 and 2). ----- _Figure 1. Job offer lure (MD5: 43fad2d62bc23ffdc6d301571135222c). (Source: SecureWorks)_ _Figure 2. Ministry of Health lure (MD5: 1b5e33e5a244d2d67d7a09c4ccf16e56). (Source: SecureWorks)_ The downloaded document attempts to run a macro that then runs a PowerShell command. This command downloads two [additional PowerShell scripts that install PupyRAT, an open-source remote access trojan (RAT). According to the developer,](https://github.com/n1nj4sec/pupy) PupyRAT is a “multi-platform (Windows, Linux, OSX, Android), multi-function RAT and post-exploitation tool mainly written in Python.” CTU™ analysis confirms that PupyRAT can give the threat actor full access to the victim's system. ### Conclusion CTU analysis suggests this activity is related to Iranian threat actors closely aligned with or acting on behalf of the COBALT GYPSY [threat group (formerly labeled Threat Group-2889). CTU researchers assess with high](https://www.secureworks.com/research/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles) confidence that COBALT GYPSY is associated with Iranian government-directed cyber operations, and it has used tactics similar to this campaign: [targeting Saudi financial, oil, and technology organizations](http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/) [using job-themed lures to infect systems](https://www.cylance.com/operation-cleaver-cylance) registering spoofed domains spearphishing new victims using legitimate email addresses This campaign highlights the need for organizations to educate users about the risks of spearphishing and shortened links. CTU [researchers recommend that organizations disable macros in Microsoft Office products to prevent attacks that leverage this](https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-documents-7B4FDD2E-174F-47E2-9611-9EFE4F860B12) [functionality. Organizations should also incorporate advanced malware prevention technology and endpoint threat detection tools as](https://www.secureworks.com/capabilities/managed-security/network-security/advanced-malware-protection) part of their mitigation strategies. ### Threat indicators The indicators in Table 2 are associated with the PupyRAT campaign. The IP addresses and domains may contain malicious content, so consider the risks before opening them in a browser. ----- ntg-sa . com Domain name itworx . com-ho . me Domain name mci . com-ho . me Domain name moh . com-ho . me Domain name mol . com-ho . me Domain name 45 . 32 . 186 . 33 IP address 139 . 59 . 46 . 154 IP Address 89 . 107 . 62 . 39 IP Address 43fad2d62bc23ffdc6d301571135222c MD5 hash 735f5d7ef0c5129f0574bec3cf3d6b06b052744a SHA1 hash e5b643cb6ec30d0d0b458e3f2800609f260a5f15c4ac66faf4ebf384f7976df6 SHA256 hash 1b5e33e5a244d2d67d7a09c4ccf16e56 MD5 hash 934c51ff1ea00af2cb3b8465f0a3effcf759d866 SHA1 hash 66d24a529308d8ab7b27ddd43a6c2db84107b831257efb664044ec4437f9487b SHA256 hash 03ea9457bf71d51d8109e737158be888 MD5 hash d20168c523058c7a82f6d79ef63ea546c794e57b SHA1 hash 6c195ea18c05bbf091f09873ed9cd533ec7c8de7a831b85690e48290b579634b SHA256 hash Attacker-controlled spoofed website Attacker-controlled spoofed website Attacker-controlled spoofed website Attacker-controlled spoofed website Attacker-controlled spoofed website Hosting spoofed domains used in PupyRAT phishing campaign Hosting PowerShell stages of PupyRAT download PupyRAT command and control server Job-themed Word document lure (qhtma) delivering PupyRAT Job-themed Word document lure (qhtma) delivering PupyRAT Job-themed Word document lure (qhtma) delivering PupyRAT Ministry of Health lure (Health_insurance_registration.doc) delivering PupyRAT Ministry of Health lure (Health_insurance_registration.doc) delivering PupyRAT Ministry of Health lure (Health_insurance_registration.doc) delivering PupyRAT Password-themed lure (Password_Policy.xlsm) delivering PupyRAT Password-themed lure (Password_Policy.xlsm) delivering PupyRAT Password-themed lure (Password_Policy.xlsm) delivering PupyRAT ----- hash 3215021976b933ff76ce3436e828286e124e2527 SHA1 hash 8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71 SHA256 hash _Table 2. Threat indicators for the Iranian PupyRAT campaign._ ### Gauging confidence level PupyRAT (pupyx86.dll) PupyRAT (pupyx86.dll) [CTU researchers have adopted the grading system published by the U.S. Office of the Director of National Intelligence to indicate](http://www.dni.gov/files/documents/Newsroom/Press Releases/2007 Press Releases/20071203_release.pdf) confidence in their assessments: **High confidence generally indicates that judgments are based on high-quality information, and/or that the nature of the issue** makes it possible to render a solid judgment. A "high confidence" judgment is not a fact or a certainty, however, and such judgments still carry a risk of being wrong. **Moderate confidence generally means that the information is credibly sourced and plausible but not of sufficient quality or** corroborated sufficiently to warrant a higher level of confidence. **Low confidence generally means that the information's credibility and/or plausibility is questionable, or that the information is** too fragmented or poorly corroborated to make solid analytic inferences, or that [there are] significant concerns or problems with the sources. -----