Middle East banks hit by wave of targeted attacks
FireEye identified emails containing malicious content are being sent to banks in the region
Cyber security firm FireEye has detected a wave of cyber-attacks against banks in the Middle East.
FireEye's Dynamic Threat Intelligence (DTI) identified emails containing malicious attachments being sent to multiple banks in the region. The treats actors appear to be performing initial reconnaissance against would-be targets and were detected since they were using unique scripts, which are not commonly seen in crimeware campaigns.
The attackers sent multiple emails containing macro-enabled Excel (XLS) files to employees. The themes of the messages used in the attacks are related to IT infrastructure, such as a log of Server Status Report or a list of Cisco Iron Port Appliance details.
In one case, the content of the email appeared to be a legitimate email conversation between several employees, even containing contact details of employees from several banks. This email was then forwarded to several people, with the malicious Excel file attached.
Office documents containing malicious macros are commonly used because default Office settings typically require user action in order for macros to run and victims are likely to run risky macro codes as the attackers will convince them that the macro is required to view "protected content".
FireEye said that the interesting techniques it observed in this attack was the display of additional content after the macro executed successfully. This was done for the purpose of social engineering - specifically, to convince the victim that enabling the macro did in fact result in the "unhiding" of additional spreadsheet data. In crimeware campaigns, FireEye usually observes that no additional content is displayed after enabling the macros.
In this case however the attackers took the extra step to actually hide and unhide worksheets when the macro is enabled to allay any suspicion.
Another interesting technique leveraged by this malware was the use of DNS queries as a data exfiltration channel. This was likely done because DNS is required for normal network operations. The DNS protocol is unlikely to be blocked (allowing free communications out of the network) and its use is unlikely to raise suspicion among network defenders.
The rise of the region as a hub for banking and finance has made it a tempting target for cyber-attackers. Although this attack did not leverage any zero-days or other advanced techniques, it was interesting to see how attackers used different components to perform reconnaissance activities on a specific target. This attack also demonstrates that macro malware is effective even today. Users can protect themselves from such attacks by disabling Office macros in their settings and also by being more vigilant when enabling macros (especially when prompted) in documents, even if such documents are from seemingly trusted sources.