CyberAttackers Are Targeting The Middle East Banks Through Malicious Excel Files
The FireEye which is a US security firm disclosed an ongoing campaign of investigation that focusing on several banks in the Middle East although it with not serious attacks or not with data breaches reported yet.
According to the malware experts of company, there is an unknown group which is sending the highly focused as well as well-crafted emails of spear-phishing to the employees of these banks.
And these emails are designed around the technical topics just like the status of the server that reports as well as the details of Cisco equipment which focusing on the IT staff of bank which probably to acquire the information about the server infrastructure of the bank as well as the internal network.
Whereas the malicious files of Excel that distributes an info stealer as well as a password dumper.
All of the emails includes an attached Excel file. When downloaded as well as unlock, this file requests where the user to enable the Macro support to view its content. Whereas Microsoft turned off the support of Macro by default in all Office files that is more than a decade ago because it was used to download and also install the malware through the automated scripts.
If the user does turn on the support of Macro then the attackers took particular care to display several content in the Excel file. And this was done to stay away from the raising any kind of signs of alarm. Most of the attackers who use the Macro-based allocation method for their malware and it commonly do not worry showing any type of original content afterward but it alerting the victims which something was weird about the file that they have just unlocked.
Beside of displaying several content and the Macro also runs a VBScript in the background. This script downloads three any other files. There is a BAT file that runs in every three minutes with the help of a planned task which is Mimikatz, and a PowerShell script.
Mimikatz is an application of "password dumper" that will scratch the memory of Windows and also remove passwords in clear text.
The script of BAT will gather the data about the affected computer. The type of data it steals contains the recently logged-on user, the hostname, network configuration data, user and group accounts, local and domain administrator accounts, running processes, and other data.
However, the attackers steal data through the DNS requests.
Once these two files collected all of the information of the PowerShell script that will send the stolen data to a remote server disguised as DNS requests. Attackers used the DNS because of the protocol which is whitelisted in almost all of the enterprise networks as well as hardly ever kept under the surveillance. A current version of the NewPosThings PoS malware that is also used the same DNS technique of exfiltration.
The FireEye team described that "Although this attack did not leverage any zero-days or other advanced techniques, it was interesting to see how attackers used different components to perform reconnaissance activities on a specific target. This attack also demonstrates that macro malware is effective even today."
In the last few months, the banks of Middle East have been under an attack from Turkish attackers. That we earlier reported on data leaves against the Qatar National Bank and InvestBank from the United Arab Emirates.
The similar group behind this attack also left the details from the Dutch-Bangla Bank (Bangladesh), The City Bank (Bangladesh), Trust Bank (Bangladesh), Business Universal Development Bank (Nepal), and Sanima Bank (Nepal) on Tuesday, as well as then for the Commercial Bank of Ceylon (Sri Lanka).