Printer Friendly

Middle East banks hit by wave of targeted attacks.

Cyber security firm FireEye has detected a wave of cyber-attacks against banks in the Middle East.

FireEye's Dynamic Threat Intelligence (DTI) identified emails

containing malicious attachments being sent to multiple banks in the region.

The treats actors appear to be performing initial reconnaissance against would-be

targets and were detected since they were using unique scripts, which are not

commonly seen in crimeware campaigns.

The

attackers sent multiple emails containing macro-enabled Excel (XLS) files to

employees. The themes of the messages used in the attacks are related to IT infrastructure,

such as a log of Server Status Report or a list of Cisco Iron Port Appliance

details.

In

one case, the content of the email appeared to be a legitimate email

conversation between several employees, even containing contact details of

employees from several banks. This email was then forwarded to several people,

with the malicious Excel file attached.

Office

documents containing malicious macros are commonly used because default Office

settings typically require user action in order for macros to run and victims are

likely to run risky macro codes as the attackers will convince them that the

macro is required to view "protected content".

FireEye

said that the interesting techniques it observed in this attack was the display

of additional content after the macro executed successfully. This was done for

the purpose of social engineering - specifically, to convince the victim that

enabling the macro did in fact result in the "unhiding" of additional

spreadsheet data. In crimeware campaigns, FireEye usually observes that no

additional content is displayed after enabling the macros.

In

this case however the attackers took the extra step to actually hide and unhide

worksheets when the macro is enabled to allay any suspicion.

Another

interesting technique leveraged by this malware was the use of DNS queries as a

data exfiltration channel. This was likely done because DNS is required for

normal network operations. The DNS protocol is unlikely to be blocked (allowing

free communications out of the network) and its use is unlikely to raise

suspicion among network defenders.

The

rise of the region as a hub for banking and finance has made it a tempting

target for cyber-attackers. Although this attack did not leverage any zero-days

or other advanced techniques, it was interesting to see how attackers used

different components to perform reconnaissance activities on a specific target.

This attack also demonstrates that macro malware is effective even today. Users

can protect themselves from such attacks by disabling Office macros in their

settings and also by being more vigilant when enabling macros (especially when

prompted) in documents, even if such documents are from seemingly trusted

sources.

[c] 2016 ITP Business Publishing Ltd. All Rights Reserved. Provided by SyndiGate Media Inc. ( Syndigate.info ).

COPYRIGHT 2016 SyndiGate Media Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2016 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Publication:ITP.net
Date:May 23, 2016
Words:455
Previous Article:Ministry of Finance implementing PAS 99.
Next Article:StarLink accelerates in North America expansion.
Topics:

Terms of use | Privacy policy | Copyright © 2021 Farlex, Inc. | Feedback | For webmasters |