Cisco Blogs
Share

Targeted Attacks In The Middle East

- February 6, 2018 - 0 Comments

This blog post is authored by Paul Rascagneres with assistance of Martin Lee.

Executive Summary

Talos has identified a targeted attack affecting the Middle East. This campaign contains the following elements, which are described in detail in this article.

  • The use of allegedly confidential decoy documents purported to be written by the Jordanian publishing and research house, Dar El-Jaleel. This institute is known for their research of the Palestinian-Israeli conflict and the Sunni-Shia conflict within Iran.
  • The attacker extensively used scripting languages (VBScript, PowerShell, VBA) as part of their attack. These scripts are used to dynamically load and execute VBScript functions retrieved from a Command & Control server.
  • The attacker demonstrates excellent operational security (OPSEC). The attacker was particularly careful to camouflage their infrastructure. During our investigation, the attacker deployed several reconnaissance scripts in order to check the validity of victim machine, blocking systems that don’t meet their criteria. The attacker uses the reputable CloudFlare system to hide the nature and location of their infrastructure. Additionally, the attacker filters connections based on their User-Agent strings, and only enables their infrastructure for short periods of time before blocking all connections.

Read More >>

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.