Earth Bogle: Campaigns Target the Middle East with Geopolitical Lures
Malware
We discovered an active campaign ongoing since at least mid-2022 which uses Middle Eastern geopolitical-themed lures to distribute NjRAT (also known as Bladabindi) to infect victims across the Middle East and North Africa.
By: Peter Girnus, Aliakbar ZahraviJanuary 17, 2023Read time: ( words)
While threat hunting, we found an active campaign using Middle Eastern geopolitical themes as a lure to target potential victims in the Middle East and Africa. In this campaign we have labeled Earth Bogle, the threat actor uses public cloud storage services such as files.fm and failiem.lv to host malware, while compromised web servers distribute NjRAT.
NjRAT (also known as Bladabindi) is a remote access trojan (RAT) malware first discovered in 2013. It is primarily used to gain unauthorized access and control over infected computers and has been used in various cyberattacks to target individuals and organizations in the Middle East. Users and security teams are recommended to keep their systems security solutions updated and their respective cloud infrastructures properly secured to defend against this threat.
Routine
The malicious file is hidden inside a Microsoft Cabinet (CAB) archive file masquerading as a sensitive audio file, named using a geopolitical theme as a lure to entice victims to open it. The distribution mechanism could be via social media (Facebook and Discord appear to be favored among these campaigns), file sharing (OneDrive), or a phishing email. The malicious CAB file contains an obfuscated VBS (Virtual Basic Script) dropper responsible for delivering the next stage of the attack.
Once the malicious CAB file is downloaded, the obfuscated VBS script runs to fetch the malware from a compromised or spoofed host. It then retrieves a PowerShell script responsible for injecting NjRat into the compromised victims machine.
Use of Middle Eastern Geopolitical Themes as Lures
The initial CAB files have exceptionally low detection rates on Virus Total (SHA256: a7e2b399b9f0be7e61977b51f6d285f8d53bd4b92d6e11f74660791960b813da and 4985b6e286020de70f0b74d457c7e387463ea711ec21634e35bc46707dfe4c9b), which allows the attackers to remain undetected and spread their attack across the region. The group behind the campaign uses public cloud hosting services to host malicious CAB files and uses themed lures to entice Arabic speakers into opening the infected file.
One of the malicious CAB files filename translates to A voice call between Omar, the reviewer of the command of Tariq bin Ziyads force, with an Emirati officer.cab. The attacker uses the lure of a supposedly sensitive voice call between an Emirati military officer and a member of the Tariq bin Ziyad (TBZ) Militia, a powerful Libyan faction. The file lures victims in the region into opening the file by insinuating a false link between the UAE and a group associated with war crimes, appealing to political interests and emotional appeals. These lures are consistent with a campaign disclosed in December 2022 that used Facebook advertisements on spoofed Middle Eastern news outlets pages, which were shared and pushed to other users by unsuspecting mules.
This malicious CAB file contains an obfuscated VBS script that functions as the agent responsible for delivering the next payload. When a victim opens the malicious CAB file and runs the VBS file, the second stage payload is retrieved.
Delivering the PowerShell Payload
The second stage payload is an obfuscated VBS script file masquerading as an image file (SHA256: 6560ef1253f239a398cc5ab237271bddd35b4aa18078ad253fd7964e154a2580). When this malicious file is run, a malicious PowerShell script is retrieved.
The domain delivering the malicious PowerShell script is an infected or spoofed host with documented affiliations with the Libyan Army, and a quick check on the domain gpla[.]gov[.]ly shows it was registered in 2019.
Similar campaigns have suggested the creation, use, and abuse of fake social media accounts claiming to belong to reputable organizations to serve advertisements with links to public cloud sharing platforms which contain malicious payloads to unsuspecting victims. This allows the threat actors to:
We also noted that the domain gpla[.]gov[.]ly has a history of compromise going back to at least 2021.
Second stage Dropper Overview
The second stage dropper (SHA256: 78ac9da347d13a9cf07d661cdcd10cb2ca1b11198e4618eb263aec84be32e9c8) is an obfuscated PowerShell script that drops five files in total: two binaries, a VBS script, a PowerShell script, and a Windows batch script.
Each module has the following functionality:
Upon execution, the second stage dropper kills the following .NET-related processes on the infected system. After which, KxFXQGVBtB.ps1 executes the aspnet_compler.exe in conjunction with the process injector to inject NjRAT.
[Reflection.Assembly]::Load($MyS).GetType('NewPE2.PE').'GetMethod'('Execute').Invoke($null,{[OBJECT[]]}, ($JKGHJKHGJKJK,$serv));
The dropper further drops "rYFFCeKHlIT.bat" in C:UsersPublic and creates a directory called "WindowsHost" in C:ProgramData to store the VBScript file "gJhkEJvwBCHe.vbs". On deobfuscation, gJhkEJvwBCHe.vbs runs the rYFFCeKHlIT.bat file, responsible for executing another PowerShell script called "KxFXQGVBtb.ps1" that contains a bypass PowerShell execution policy flag.
"KxFXQGVBtB.ps1" is the final PowerShell dropper responsible for loading the NjRAT binary into memory and injecting it into the legitimate .NET binary file called "aspnet_compiler.exe" via the process injector. The PowerShell script uses the [Reflection.Assembly]::Load" method to load the process injector ($Mys) into the memory. It then invokes a method called 'Execute' with two parameters. The first parameter is a full path to the PEfile to inject ("C:WindowsMicrosoft.NETFramework
The following snippet demonstrates the process injector functions. The file has been obfuscated via SmartAssembly:
The final payload of this campaign is NjRAT, allowing attackers to conduct a myriad of intrusive activities on infected systems such as stealing sensitive information, taking screenshots, getting a reverse shell, process, registry and file manipulation, uploading/downloading files, and performing other operations.
The dropper achieves persistence on an infected system by adding the directory C:ProgramDataWindowsHost to the "User Shell folders and "Shell folders to the startup keys accordingly.
Conclusion
This case demonstrates that threat actors will leverage public cloud storage as malware file servers, combined with social engineering techniques appealing to peoples sentiments such as regional geopolitical themes as lures, to infect targeted populations. Furthermore, governments weakened by regional conflict are at a higher risk for compromise, wherein threat actors and advanced persistent threat (APT) groups could compromise and use government infrastructure in targeted campaigns. This is compounded by the ability to share cloud storage content via advertising and social media, presenting an opportunity for threat actors and APT groups to reach a wider infection radius.
Organizations can protect themselves by remaining vigilant against phishing attacks andskeptical regarding sensational topics and themes abused online as lures. Users should be wary of opening suspicious archive files such as CAB files, especially from public sources where the risks of compromise are high. Security teams should be aware of the dynamic nature of conflict zones when considering a security posture. Organizations can also consider a cutting edge multilayered defensive strategy that can detect, scan, and block malicious URLs.
Indicators of Compromise (IOCs)
Download the full list of IOCs here.
Tags
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
Continue reading here:
Earth Bogle: Campaigns Target the Middle East with Geopolitical ... - Trend Micro
- Oracle Cloud for Australian Government and Defence Achieves Australian Hosting Certification Framework - Oracle - December 17th, 2024
- Cloud AI Industry Forecast (2024-2029) by Offering, Technology Type, Hosting Type, Organization Size, Business Function, Verticals and Region - Yahoo... - December 17th, 2024
- Google Asks Feds to Kill Microsofts Cloud Hosting Deal With OpenAI - Gizmodo - December 17th, 2024
- Nigeria's Okra joins cloud hosting race to challenge AWS and Azure - Developing Telecoms - October 10th, 2024
- US Signal Introduces IaaS Solution OpenCloud for Open-Source Cloud Hosting - The Fast Mode - October 1st, 2024
- Waite Park hosting Coffee with a Cop on Wednesday - St. Cloud Live - October 1st, 2024
- Internet Vikings Approved to Offer VMware Private Cloud Hosting in Arizona - Cision News - August 23rd, 2024
- We wanted to become the Rolls-Royce of cloud hosting: Inside Hyve Managed Hostings global expansion plans - ITPro - July 20th, 2024
- Hostinger Review: VPS, Cloud, and Shared Hosting - Tom's Hardware - July 12th, 2024
- Optimizing Web Performance with Cloud Hosting - Spiceworks News and Insights - June 26th, 2024
- Oracle to open third Spanish cloud region with Telefonica as hosting partner - Telecompaper EN - June 26th, 2024
- Interior awards $2 billion cloud hosting contract to 7 vendors - FedScoop - June 5th, 2024
- From Clean Energy to Cloud Hosting: Bitcoin Miners Have Diverse Operations - Finance Magnates - June 5th, 2024
- Top 10 Cloud Hosting Providers in 2024: Plans, Prices, and Key Factors - mitechnews.com - May 27th, 2024
- Bare Metal Cloud Market Grows with Demand for High-Performance Hosting Solutions As Revealed In New Report - WhaTech - May 19th, 2024
- Ahrefs Joins Others in Suggesting That On-Premises Hosting Can Be More Cost Effective than Cloud - InfoQ.com - May 19th, 2024
- St. Cloud's Rainbow Wellness Collective Hosting Series of Events - WJON News - March 20th, 2024
- Safe in the Cloud: A Deep Dive Into Hosting Security Measures - AppleMagazine - February 11th, 2024
- Why Peachtree Cloud Hosting Is The Future Of Streamlined Accounting - WhaTech Technology and Markets News - January 13th, 2024
- Unravelling The Secrets Of Sage 50 Cloud Hosting: Everything You Need To Know - WhaTech Technology and Markets News - January 13th, 2024
- Gift a Blogger, Student, or Professional a Lifetime of Cloud Web Hosting With iBrave, Now Only $40 - PCMag - December 26th, 2023
- These are the factors you need to take into account for Cloud hosting - TechiExpert.com - December 26th, 2023
- Andrew Lobel: Tech Luminary's Perspective On Cloud Hosting And AWS Lightsail's Prowess - Business Manchester - December 18th, 2023
- Hostereo revolutionizes cloud hosting with user-centric solutions, Powered by Interhost B.V. - NL Times - December 10th, 2023
- What Are The Advantages and Drawbacks of Cloud Hosting and ... - Analytics Insight - November 24th, 2023
- Cloud Computing Hosting Service Market 2031 Insights with Key Innovations Analysis | Leading Companies Acce... - SeeDance News - October 17th, 2023
- Multi Cloud Hosting and its Impact on Businesses - Digital Journal - April 26th, 2023
- What is cloud hosting and how do you use it? - TechRadar - April 26th, 2023
- How QuickBooks Hosting on the Cloud Server Helps Businesses in ... - Universe News Network - April 26th, 2023
- Mayor of St. Cloud Hosting State of the City Address - KVSC-FM News - April 18th, 2023
- Moro Hub join hands with Indias Cloud4C to offer cloud hosting ... - Arabian Business - March 25th, 2023
- Build unlimited sites with this $86 cloud-based web hosting - Cult of Mac - March 25th, 2023
- The role of cloud hosting in digital transformation and cloud computing - HostReview.com - March 9th, 2023
- [Webinar] Cloud Utility Pricing: Reduce Hosting Costs and Go Green ... - JD Supra - March 1st, 2023
- Features of Cloud Hosting Services Offered By Hosting Companies - HostReview.com - March 1st, 2023
- Cloud Hosting Contracts | Freedom of Information - Ordnance Survey - February 21st, 2023
- Cost Comparison of Cloud Hosting vs Traditional Hosting: What You ... - HostReview.com - February 13th, 2023
- Google hosting in-person Cloud Next 23 this August - 9to5Google - February 5th, 2023
- Agreement inked to provide cloud, hosting services at Musandam ... - Times of Oman - January 28th, 2023
- St. Cloud State Huskies have ended their losing streak after 0-2 vs ... - The Rink Live - January 28th, 2023
- Rise in Cyber Attacks Expected in 2023: Passwords and Cloud ... - TECH dot AFRICA - January 28th, 2023
- How to Find the Best Web Host for Your Business - The Yucatan Times - January 28th, 2023
- Here Are 2 Technology Stocks of the Future You Can Buy Today - The Motley Fool - January 28th, 2023
- What is PSaaS and is it Worthwhile? - Security Boulevard - January 28th, 2023
- Business was always a way of serving people - New Hampshire Business Review - January 28th, 2023
- Squire Patton Boggs assists in the acquisition of Sered - Iberian Lawyer - January 28th, 2023
- Whats Ahead for the Future of Data Streaming? - DevOps.com - January 28th, 2023
- How to create a new project in the self-hosted version of Orangescrum - TechRepublic - January 28th, 2023
- The Global Access Control as a Service (ACaaS) Market size is expected to reach $2.3 billion by 2028, rising at a market growth of 15.0% CAGR during... - January 28th, 2023
- Amazon wanted to discuss opportunities for fine-tuning NZs policy ... - New Zealand Herald - January 28th, 2023
- 3 Reasons Why Wall Street Analysts Think Amazon Stock Could ... - The Motley Fool - January 28th, 2023
- OnePlus Cloud 11 launch event: Heres everything OnePlus is launching in India on February 7 - Times Now - January 28th, 2023
- Auckland's giant new data centres - and the power they'll chug - New Zealand Herald - January 28th, 2023
- Octo Consulting Group, Inc. | U.S. - Government Accountability Office - January 28th, 2023
- The Venture Leaders Mobile 2023 kick off their roadshow to the ... - Venturelab - January 28th, 2023
- Demand for Server Virtualization Software Rises as Cloud and OS Technologies Proliferate: Fact.MR Exclusive Analysis - Yahoo Finance - January 20th, 2023
- Sabre CIO on the impact of cloud in travel - PhocusWire - January 20th, 2023
- cPanel Partners With CloudFest to Bring CloudFest USA Back to ... - InvestorsObserver - January 20th, 2023
- Basecamp details 'obscene' $3.2 million bill that caused it to quit the cloud - The Register - January 20th, 2023
- Microsoft set to make 5% of workforce redundant - Information Age - January 20th, 2023
- Who Owns the Generative AI Platform? - Andreessen Horowitz - January 20th, 2023
- 3 Warren Buffett Stocks That Could Soar 33% to 80% in 2023 ... - The Motley Fool - January 20th, 2023
- Many businesses are set to spend big to raise their security game - TechRadar - January 20th, 2023
- Nvidia and 2 Other Stocks That Could Be Helped or Hurt by ChatGPT - Barron's - January 20th, 2023
- ESGold Welcomes Mr. Pierre-Olivier Mathys to its Advisory Board - TheNewswire.ca - January 20th, 2023
- How Has the Ramsar Convention Shaped China's Wetland ... - Sixth Tone - January 20th, 2023
- Chengdu Science Fiction Museum by Zaha Hadid Architects to host ... - Archilovers.com - January 20th, 2023
- Why I Bought This Promising Cloud Computing Stock - The Motley Fool - January 4th, 2023
- Brighton cloud company bringing 100 new skilled jobs to city - The Argus - January 4th, 2023
- Apache Iceberg promises to change the economics of cloud-based data analytics - The Register - January 4th, 2023
- MSP vs Vms: What Are the Differences? - StartupGuys.net - January 4th, 2023
- 5 Unstoppable Metaverse Stocks to Buy in 2023 - The Motley Fool - January 4th, 2023
- Top 10 Middle East IT stories of 2022 - ComputerWeekly.com - January 4th, 2023
- Potential cloud protests and maybe, finally, more JADC2 jointness ... - Breaking Defense - January 4th, 2023
- Double Down On Innovation With Edge Computing | - Spiceworks News and Insights - December 27th, 2022
- Simplifying digital sovereignty in a multi-cloud world - The Register - December 27th, 2022
- The Global IT Services Market size is expected to reach $2,013.6 billion by 2028, rising at a market growth of 8.4% CAGR during the forecast period -... - December 27th, 2022
- St. Cloud hockey games scheduled in honor of player killed in crash - SC Times - December 27th, 2022
- 2 Metaverse Stocks That Could Make You Richer in 2023 - The Motley Fool - December 27th, 2022
- EDNS inks a partnership deal with Alibaba Cloud to explore the ... - PR Newswire - December 27th, 2022