Targeted attacks primarily focused on financial institutions and technology organizations within Saudi Arabia. Artifacts identified within the malware samples related to these attacks also suggest the targeting of the defense industry in Saudi Arabia, which appears to be related to an earlier wave of attacks carried out in the fall of 2015.
The campaign targets a wide range of verticals in Japan with the intent to steal confidential data. The group behind the operation is suspected to operate out of China and has been in operation since at least 2012. The group uses multiple avenues to infect their victims including spear-phishing, compromised websites, and zero-day vulnerabilities.
The campaign uses a malicious Word document that leverages the Microsoft Office Dynamic Data Exchange (DDE) technique to bypass network defenses. Regardless whether macros are enabled, the use of DDE with PowerShell allows an attacker to execute arbitrary code on a victim?s system.
The campaign infects systems with the FALLCHILL malware and uses multiple proxies to obfuscate network traffic. The goal of the attacks are to gain sensitive information including operating system information, system name, and other details about the compromised computer.
The attacks targeted victims in the United States and the Middle East in an attempt to steal sensitive information. The group behind the campaign used fake documents claiming to be from the NSA in spear-phishing emails to convince victims to open the malicious attachments.
The campaign uses the Volgmer malware to perform various task including stealing information about the compromised host as well as terminating processes and uploading/downloading files. The group has been using the malware since at least 2013 targeting a wide range of sectors.
The multiple campaigns attacked various financial organizations around the world in 2016 and 2017. The threat actors behind the operation used a variety of tools including Metasploit and PowerShell to carry out the attacks which resulted in the theft of millions of dollars.
The campaigns main focus was targets in South Asia and China in an attempt to steal confidential data. The operation mainly used sphear-phishing emails to infect their victims with a variety of malware including xRAT, NDiskMonitor, Socksbot, Badnews, Taskhost Stealer, and Wintel Stealer.
The campaign targeted Triconex Safety Instrumented System (SIS) controllers at a critical infrastructure organization in the Middle East in an attempt to modify the safety devices. The operation was first discovered in November 2017 and is reported to be the first malware to target safety systems in the ICS sector.