14 DAY TRIAL // US security firm FireEye revealed an ongoing reconnaissance campaign targeting several banks in the Middle East, but with not serious attacks or data breaches reported yet.
According to the company's malware experts, an unknown group is sending highly targeted and well-crafted spear-phishing emails to the employees of these banks.
These emails are crafted around technical topics such as server status reports and Cisco equipment details, targeting the bank's IT staff, probably to obtain information about the bank's server infrastructure and internal network.
Malicious Excel files deliver an infostealer and a password dumper
All emails contain an Excel file attached. When downloaded and opened, this file requests the user to enable Macro support to view its content. Microsoft turned off Macro support by default in all Office files more than a decade ago because it was used to download and install malware via automated scripts.
If the user does turn on Macro support, the crooks took special care to show some content in the Excel file. This was done to avoid raising any signs of alarm. Most hackers who use the Macro-based distribution method for their malware usually don't bother showing any real content afterward, alerting victims that something was strange about the file they have just opened.
Alongside showing some content, the Macro also runs a VBScript in the background. This script downloads three other files. A BAT file that it runs every three minutes with the help of a scheduled task, Mimikatz, and a PowerShell script.
Mimikatz is a "password dumper" application that will scrape the Windows memory and extract passwords in clear text.
The BAT script will collect data about the infected computer. The type of data it steals includes the currently logged-on user, the hostname, network configuration data, user and group accounts, local and domain administrator accounts, running processes, and other data.
Hackers steal data via DNS requests
Once these two files gathered all information, the PowerShell script will send the stolen data to a remote server disguised as DNS requests. Crooks used DNS because the protocol is whitelisted in almost all enterprise networks and rarely kept under surveillance. A recent version of the NewPosThings PoS malware also used the same DNS exfiltration technique.
"Although this attack did not leverage any zero-days or other advanced techniques, it was interesting to see how attackers used different components to perform reconnaissance activities on a specific target," the FireEye team explained. "This attack also demonstrates that macro malware is effective even today."
In the past few months, Middle East banks have been under attack from Turkish hackers. We previously reported on data dumps against the Qatar National Bank and InvestBank from the United Arab Emirates.
The same group behind this attack also dumped details from the Dutch Bangla Bank (Bangladesh), The City Bank (Bangladesh), Trust Bank (Bangladesh), Business Universal Development Bank (Nepal), and Sanima Bank (Nepal) on Tuesday, and then for the Commercial Bank of Ceylon (Sri Lanka).