Saudi Arabia’s National Cyber Security Centre (NCSC), a part of the Ministry of Interior, has detected Monday a new Advanced Persistent Threat (APT) that is targeting the Kingdom.
The observed malicious activities used by the threat actor, was a PowerShell based malware connects to multiple known-bad domains, the NCSC said in a tweet on Monday.
The malicious PowerShell utilizes HTTP tunneling to communicate with the command and control domains. The HTTP requests and responses contains data ex-filtrated from infected machines or commands to be executed by the threat actor.
The Saudi centre referred to two techniques that have been observed in the delivery and installation stages; injecting Microsoft Office documents, and accessing compromised websites.
Most of the samples observed were Microsoft Office files containing a macro or a linked object that was delivered through spear phishing emails. Additionally, NCSC said the malicious documents are sometimes compressed in a password protected RAR file to avoid mail protection mechanisms. The password is usually included in the email body.
Some samples were delivered using the watering hole or similar techniques such as cross site scripting. The infection were observed through a compromised website “legitimate websites” where the user is redirected to a malicious website and asked to download a malicious executable. The malicious file would infect the machine with the same VBS and PowerShell scripts.
To detect such malicious activates, the NCSC recommended in a statement following the below actions:
• Review Proxy logs / SIEM or NG firewalls for query strings in HTTP requests that follows the pattern below:
*.php?c=(Base64 data)
*.aspx?c=(Base64 data)
• HTTP requests to explicit IPs with no domain names
• High number of HTTP traffic going to one IP or domain.
• HTTP Connections to: 148.251.204.131 & 144.76.109.88
• Review the email gateway for emails with password protected attachments or office attachments with macros that either been blocked or alerted.
• Increase usage of PowerShell on endpoints and servers
The Saudi centre also said it recommended to have the following controls in order to identify and prevent similar activity:
• Upgrade to PowerShell version 5, and remove older versions.
• Enable Module Logging, Script-Block Logging and Transcript Logging in PowerShell Version 5
• Implement Application whitelisting throughout the organization, this also needs to be implemented on running PowerShell scripts. Only allow the specific scripts that you need to run, if any especially on Public facing servers.
• Prevent the execution of executables and scripts from user controlled folders, such as C:\Users\<Username> and temporary folders, such as C:\Windows\Temp
• Use email filtering to scan and block incoming email for macro-enabled documents and other malicious files such as executable, Windows Host Scripting and HTA files.
• Implement a File Integrity Monitoring (FIM) Solution on the www root all internet-facing applications, such as web applications, email and VPN portals. It’s critical to alert on any unauthorized modification to those servers, as this might indicate a successful attack.