Threat Advisory- Targeted Attacks In The Middle East
Updated: Nov 23, 2018
A targeted malware campaign has been discovered that makes use of Dar EI-Jaleel decoy documents (Dar EI-Jaleel is a Jordanian publishing and research house). The extensive use of scripting languages (VBScript, Power shell, VBA) is observed as a part of the campaign.
The malware checks the various specifications of the targeted such as if the system is sandbox or not, installed antivirus, IP address, computer name, username, OS, drives attached to the targeted system. It is reported that the malware dropped from this campaign has functions to achieve persistence on the system and to send the acquired information to the Command & Control server.
The various stages of the campaign are as follows:
VBScript – The purpose of the script to launch PowerShell script.
PowerShell Script – The purpose of the script to create a Microsoft Office document and open it.
Office Document with Macros – The purpose of macro to create Windows Script File and execute
WSF Script – The script contains functions to contact to C&C and execute additional payloads.