- 292/2023
- High
TA402, recognized as a Middle Eastern advanced persistent threat (APT) group launched a new series of targeted phishing campaigns that are designed to deliver a new initial access downloader “IronWind” to target government entities in the Middle East.
TA402 utilized three variations of the infection chain moving from using Dropbox links to using XLL and RAR file attachments, likely to evade detection efforts.
The Tactics and Techniques of TA402 APT:
Initial Access:
- TA402 APT is engaged in a phishing campaign using a compromised Ministry of Foreign Affairs email account to target Middle Eastern government entities.
Execution:
- The emails use economic-themed social engineering to deliver a Dropbox link, XLL file attachments, or RAR file attachments that downloaded a malicious Microsoft PowerPoint Add-in (PPAM) file. For example:
1. Mail subject: ” برنامج التعاون الاقتصادي مع دول مجلس التعاون الخليجي 2024-2023″.
2. Mail subject: “تقرير وتوصيات الدورة (110) بخصوص الحرب على غز”.
3. XLL file: ” قائمة الأشخاص والكيانات (المصنفة إرهابية) من قبل هيئة مكافحة غسل الأموال وتمويل الإرهاب”.
- The PPAM file contains a macro that drops three files: version.dll (IronWind), timeout.exe, and gatherNetworkInfo.vbs.
Command and Control:
- Timeout.exe is used to sideload IronWind, then IronWind sends an HTTP GET request to a known TA402 C2 domain.
- The C2 responds with a shellcode that represents the third stage of the infection chain using reflective .NET loaders to conduct WMI queries and downloading the fourth stage a .NET executable that uses SharpSploit “.NET post-exploitation library written in C#”.
- The .NET executable continues to use HTTPS POSTs and GETs to the C2 server and receives JSON responses and downloads additional shellcode payloads passing the authentication via a custom User-Agent string, “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:) Gecko/Firefox/3.15″.
- The last stage payload contains unused code, which may be used later by TA402 for making further updates and adjustments to the malware.
Indicators of Compromise
Indicators of compromise will be shared with EG-FinCIRT’s Constituents
Mitigations
- Search for existing signs of the indicated IOCs in your environment.
- Block all URL and IP-based IOCs at the organization’s security devices.
- Implement network segmentation, such that all machines on your network are not accessible from every other machine.
- If remote access is required, use a VPN with vendor best practices multi-factor authentication, password audits, precise access control, and actively monitoring remote accesses.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Use Sandbox technology for inspection URLs, E-mail attachments, and downloaded files.
- Administrators should adopt multi-factor authentication and use a separate administrative account from their normal operational account.
- Conduct cybersecurity awareness training for end users.
- Ensure anti-virus software and associated files are up to date.
- Implement application whitelisting, which only allows systems to execute programs known and permitted by the organization’s security policy.
- Backup your data using different backup destinations, including Tape drives.
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
- Install updates/patches operating systems, software, and firmware as soon as updates/patches are released.