Middle East banks hit by wave of targeted attacks.
Cyber security firm FireEye has detected a wave of cyber-attacks against banks in the Middle East.
FireEye's Dynamic Threat Intelligence (DTI) identified emails
containing malicious attachments being sent to multiple banks in the region.
The treats actors appear to be performing initial reconnaissance against would-be
targets and were detected since they were using unique scripts, which are not
commonly seen in crimeware campaigns.
attackers sent multiple emails containing macro-enabled Excel (XLS) files to
employees. The themes of the messages used in the attacks are related to IT infrastructure,
such as a log of Server Status Report or a list of Cisco Iron Port Appliance
one case, the content of the email appeared to be a legitimate email
conversation between several employees, even containing contact details of
employees from several banks. This email was then forwarded to several people,
with the malicious Excel file attached.
documents containing malicious macros are commonly used because default Office
settings typically require user action in order for macros to run and victims are
likely to run risky macro codes as the attackers will convince them that the
macro is required to view "protected content".
said that the interesting techniques it observed in this attack was the display
of additional content after the macro executed successfully. This was done for
the purpose of social engineering - specifically, to convince the victim that
enabling the macro did in fact result in the "unhiding" of additional
spreadsheet data. In crimeware campaigns, FireEye usually observes that no
additional content is displayed after enabling the macros.
this case however the attackers took the extra step to actually hide and unhide
worksheets when the macro is enabled to allay any suspicion.
interesting technique leveraged by this malware was the use of DNS queries as a
data exfiltration channel. This was likely done because DNS is required for
normal network operations. The DNS protocol is unlikely to be blocked (allowing
free communications out of the network) and its use is unlikely to raise
suspicion among network defenders.
rise of the region as a hub for banking and finance has made it a tempting
target for cyber-attackers. Although this attack did not leverage any zero-days
or other advanced techniques, it was interesting to see how attackers used
different components to perform reconnaissance activities on a specific target.
This attack also demonstrates that macro malware is effective even today. Users
can protect themselves from such attacks by disabling Office macros in their
settings and also by being more vigilant when enabling macros (especially when
prompted) in documents, even if such documents are from seemingly trusted
[c] 2016 ITP Business Publishing Ltd. All Rights Reserved. Provided by SyndiGate Media Inc. ( Syndigate.info ).