FireEye has recently revealed a wave of cyberattacks against banks in the Middle East. FireEye’s Dynamic Threat Intelligence (DTI) identified emails containing malicious attachments being sent to multiple banks in the region. The threat actors appear to be performing initial reconnaissance against would-be targets and were detected since they were using unique scripts not commonly seen in crimeware campaigns.
The attackers sent multiple emails containing macro-enabled Excel (XLS) files to employees working in the banking sector in the Middle East. The themes of the messages used in the attacks are related to IT infrastructure, such as a log of Server Status Report or a list of Cisco Iron Port Appliance details. In one case, the content of the email appeared to be a legitimate email conversation between several employees, even containing contact details of employees from several banks. This email was then forwarded to several people, with the malicious Excel file attached.
Office documents containing malicious macros are commonly used in crimeware campaigns. As default Office settings typically require user action in order for macros to run, attackers may convince victims to enable the running of risky macro codes by telling them that the macro is required to view “protected content”. One of the interesting techniques we observed in this attack was the display of additional content after the macro executed successfully. This was done for the purpose of social engineering – specifically, to convince the victim that enabling the macro did in fact result in the “unhiding” of additional spreadsheet data. In crimeware campaigns, we usually observe that no additional content is displayed after enabling the macros. However, in this case, attackers took the extra step to actually hide and unhide worksheets when the macro is enabled to allay any suspicion.
Another interesting technique leveraged by this malware was the use of DNS queries as a data exfiltration channel. This was likely done because DNS is required for normal network operations. The DNS protocol is unlikely to be blocked (allowing free communications out of the network) and its use is unlikely to raise suspicion among network defenders.
The rise of the region as a hub for banking and finance has made it a tempting target for cyber attackers. Although this attack did not leverage any zero-days or other advanced techniques, it was interesting to see how attackers used different components to perform reconnaissance activities on a specific target. This attack also demonstrates that macro malware is effective even today. Users can protect themselves from such attacks by disabling Office macros in their settings and also by being more vigilant when enabling macros (especially when prompted) in documents, even if such documents are from seemingly trusted sources.