Breaking News

Spear phishing campaign targeted Saudi Arabia Government organizations

Security researchers at MalwareBytes have uncovered a spearphishing campaign that targeted Saudi Arabia Government organizations.

Security experts at MalwareBytes have spotted a new spear phishing campaign that is targeting Saudi Arabia governmental organizations.

According to the experts, the campaign already targeted about a dozen Saudi agencies. Attackers used weaponized Word document and tricked victims into opening them and enabling macros.

The document is in Arabic language, if the victim opens it up, it will be infected and the phishing document is sent to their contact via Outlook inbox.

The malicious payload is embedded in the macro as Base64 code and leverages the certutil application for decoding into a PE file that is finally executed.

The binary dropped on the infected machine is coded in .NET and its code is encrypted but not obfuscated. The malware was designed to steal information from the victims and upload it to a remote server.

“Decrypting it we can see the main payload (neuro_client.exe renamed to Firefox-x86-ui.exe here) and two helper DLLs” reads the analysis published by MalwareBytes.

The malicious code gains persistence via the Task Scheduler.

MalwareBytes is still monitoring the campaign and plans to provide further information in the future.

I suggest reading the analysis that also includes the IoCs.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Saudi Arabia Government, spear phishing)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Published by
Pierluigi Paganini
Tags: cyber espionageHackingmalwarePierluigi PaganiniSaudi Arabia GovernmentSecurity Affairsspear phishing
7 years ago

Recent Posts

FIN7 targeted a large U.S. carmaker with phishing attacks

BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large…

5 hours ago

Law enforcement operation dismantled phishing-as-a-service platform LabHost

An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.…

10 hours ago

Previously unknown Kapeka backdoor linked to Russian Sandworm APT

Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…

15 hours ago

Cisco warns of a command injection escalation flaw in its IMC. PoC publicly available

Cisco has addressed a high-severity vulnerability in its Integrated Management Controller (IMC) for which publicly…

17 hours ago

Linux variant of Cerber ransomware targets Atlassian servers

Threat actors are exploiting the CVE-2023-22518 flaw in Atlassian servers to deploy a Linux variant of…

1 day ago

Ivanti fixed two critical flaws in its Avalanche MDM

Ivanti addressed two critical vulnerabilities in its Avalanche mobile device management (MDM) solution, that can…

2 days ago

This website uses cookies.