Hackers have been found scoping out banks throughout the Middle East in an apparent reconnaissance mission ahead of a major offensive.
According to FireEye researchers, in the first week of May 2016, FireEye’s DTI identified a wave of emails containing malicious attachments being sent to multiple banks in the Middle East region. The ultimate payload is scripting used to collect important information from the infected system, including the currently logged on user, the hostname, network configuration data, user and group accounts, local and domain administrator accounts, running processes and other data.
It’s likely this information will be used to architect and mount a wider and more damaging campaign.
The attackers sent multiple emails containing macro-enabled Excel spreadsheet files to employees. The themes of the messages used in the attacks are related to IT Infrastructure, such as a log of “Server Status Reports” or a list of Cisco Iron Port Appliance details. Interestingly, the macro will run successfully only on Windows Vista and subsequent versions of the operating system.
“In one case, the content of the email appeared to be a legitimate email conversation between several employees, even containing contact details of employees from several banks,” FireEye noted. “This email was then forwarded to several people, with the malicious Excel file attached.”
Here’s where the tactics start to look innovative: Office documents containing malicious macros are commonly used in crimeware campaigns. Because default Office settings typically require user action in order for macros to run, attackers may convince victims to enable risky macro code by telling them that the macro is required to view “protected content.” In this case, that additional content is actually displayed in an apparent gambit to continue masquerading as a legitimate document.
“The attacks caught our attention since they were using unique scripts not commonly seen in crime-ware campaigns,” the researchers said in an analysis. “In crimeware campaigns, we usually observe that no additional content is displayed after enabling the macros. However, in this case, attackers took the extra step to actually hide and unhide worksheets when the macro is enabled to allay any suspicion.”
Another interesting technique found in the malware was the use of DNS queries as a data exfiltration channel. This was likely done because DNS is required for normal network operations, and therefore, unlikely to be blocked. This allows free communications out of the network, and its use is unlikely to raise suspicion among network defenders.
“Although this attack did not leverage any zero-days or other advanced techniques, it was interesting to see how attackers used different components to perform reconnaissance activities on a specific target,” the researchers said.
Users can protect themselves from such attacks by disabling Office macros in their settings and also by being more vigilant when enabling macros (especially when prompted) in documents, even if such documents are from seemingly trusted sources.
Photo © alex7370/Shutterstock.com