Post Now

TopHat Campaign Targets Middle East Nations by Leveraging Popular Third-Party Apps

Image

Palo Alto Networks Unit 42 researchers discovered a new campaign named TopHat targeting Middle East regions by leveraging popular third-party apps like Google+, Pastebin, and bit.ly.

Palo Alto Networks Unit 42 researchers discovered a new campaign named TopHat targeting Middle East regions by leveraging popular third-party apps like Google+, Pastebin, and bit.ly.Researchers said that attacker uses Arabic language decoy documents related to current political events to trick victims into opening the documents and infecting themselves with the malware.The malware discovered is in the attack is from a new family dubbed “Scote.”According to the data the attacks are targeting individuals or organizations within the Palestinian territories.“Scote provides backdoor access for an attacker, and we have observed it collecting command and control (C2) information from Pastebin links as well as Google+ profiles. The bit.ly links obscured the C2 URLs so victims could not evaluate the legitimacy of the final site prior to clicking it. We are calling their recent activity the “TopHat” campaign.” said in the blog post published

Read more on: Malware Discovered in the Digital Version of Trump book ‘Fire and Fury’
The attack was spotted by researchers in early September 2017, and in some instances the original filename of the identified samples were written in Arabic.The attack is deployed through four different means two involving malicious RTF files, one involving self-extracting Windows executables, and the final using RAR archives.The first technique uses a malicious RTFs that made an HTTP request to a URL which then redirect to a malicious site.The second technique uses the Don’t Kill My Cat or DKMC which enables an attacker to load a legitimate bitmap (BMP) file with shellcode inside it.The third technique uses a malicious RTFs file which makes use ofCVE-2017-0199 a remote code execution (RCE) vulnerability in Microsoft Office/WordPad which was patched by Microsoft in September 2017.The last techniques use a self-extracting executable file to load both the decoy document and spawn an instance of Scote.After infecting the malware will decode embedded configuration which contains URLs to third-party online services like Pastebin postings or Google+ accounts. Then the malware will use this information to retrieve data from these URLs.When the command and control information is retrieved by the malware, it will communicate with these servers and accept commands which perform the following actions
  • Kill the Scote malware
  • Run ‘ipconfig’ on the victim and return results
  • Run ‘cmd.exe /C systeminfo’ and return results
  • Load a DLL that is downloaded from a C2
“The TopHat campaign was found to have some overlaps discovered with the previously reported DustySky campaign when the attacker was identified to be submitting their files for testing purposes. Unit 42 will continue to track and monitor this threat and will report on any developments that occur.” said in the blog post published by researchers.
Read more on:Dark Caracal, a new Malware Espionage Campaign Targets Android Devices