Middle East Supply Chain Attacks
Since July 2020, the Zscaler ThreatLabZ team has observed an increase in targeted attacks against multiple supply chain-related organizations in the oil and gas sector in the Middle East. The attack chain starts with a malicious email containing links to legitimate file sharing sites, which host a ZIP file. The zip file contains a Windows .NET executable, once launched will decrypt and load the AZORult malware. Once installed the malware makes a series of checks to ensure it is not running within a malware sandbox. Many of these checks include searching registry and hardware information for common virtualization names, and file paths. The final payload of the malware will exfiltrate data via HTTP POST commands, to the attacker owned Command and Control servers.
Currently researchers do not know who is performing the attacks, since the AZORult malware is a commercially available. However they are with high confidence sure the attacks are highly targeted towards these supply chains.
Sources:
Indicators of Compromise:
- Scheduled Task Names
- Naming Convention: “Updates\<random_string>”
- Updates\YJSlNpkH
- Updates\WWOsRUUn
- Updates\NcojkRtJmDPru
- Naming Convention: “Updates\<random_string>”
- XML File Names
- Scheduled tasks are created using dropped XML files in %temp% directory with random names.
- C:\Users\user\AppData\Local\Temp\tmp9AA2.tmp
- C:\Users\user\AppData\Local\Temp\tmp23B7.tmp
- C:\Users\user\AppData\Local\Temp\tmp24CC.tmp
- Scheduled tasks are created using dropped XML files in %temp% directory with random names.
- File Hashes
- PDF Hashes
- e368837a6cc3f6ec5dfae9a71203f2e2
- 741f66311653f41f226cbc4591325ca4
- fe928252d87b18cb0d0820eca3bf047a
- 8fe5f4c646fd1caa71cb772ed11ce2e5
- d8e3637efba977b09faf30ca49d75005
- c4380b4cd776bbe06528e70d5554ff63
- 34cae3ae03a2ef9bc4056ca72adb73fc
- 363030120a612974b1eb53cc438bafcb
- 2710cc01302c480cd7cd28251743faf0
- 1693f1186a3f1f683893b41b91990773
- 7a016c37fa50989e082b7f1ca2826f04
- 709895dd53d55eec5a556cf1544fc5b9
- 5d9ed128316cfa8ee62b91c75c28acd1
- c2ac9c87780e20e609ba8c99d736bec1
- 269cfd5b77ddf5cb8c852c78c47c7c4c
- 653f85816361c108adc54a2a1fadadcf
- 6944f771f95a94e8c1839578523f5415
- 8e5c562186c39d7ec4b38976f9752297
- 3d019ede3100c29abea7a7d3f05c642b
- 67f178fd202aee0a0b70d153b867cb5e
- 39598369bfca26da8fc4d71be4165ab4
- 70a92fdba79eaca554ad6740230e7b9a
- 9db3d79403f09b3d216ee84e4ee28ed3
- bafdeef536c4a4f4acef6bdea0986c0b
- 8d7785c8142c86eb2668a3e8f36c5520
- 653e737fd4433a7cfe16df3768f1c07e
- ebdcb07d3de1c8d426f1e73ef4eb10f4
- d258ba34b48bd0013bfce3308576d644
- a74c619fd61381a51734235c0539e827
- 6f1bd3cb6e104ed6607e148086b1e171
- cf04d33371a72d37e6b0e1606c7cd9a2
- ede5fa9b9af1aeb13a2f54da992e0c37
- 5321cd5b520d0d7c9100c7d66e8274e1
- de521f9e4bc6e934bb911f4db4a92d36
- 36e5726399319691b6d38150eb778ea7
- 1c5cb47fd95373ade75d61c1ae366f8b
- b7b41d93709777780712f52a9acf7a26
- 62a05b00c7e7605f7b856c05c89ee748
- b520f4f9d87940a55363161491e69306
- 40c1156d98c39ac08fd925d86775586d
- f2319ddb303c2a5b31b05d8d77e08b4e
- 24e67f40ccb69edb88cc990099ef2ffe
- 54fc7650a8b5c1c8dc85e84732a6d2c7
- 9cf615982d69d25b1d0057617bd72a95
- e9dfa14e4f6048b6f3d0201b2f3c62fe
- abab000b3162ed6001ed8a11024dd21c
- 5c857bf3cf52609ad072d6d74a4ed443
- 73ddf9f8fc3dc81671ea6c7600e68947
- 3510cbf8b097e42745cfb6782783af2b
- 694a6568b7572125305bdb4b24cebe98
- 7fa5028f2394dcea02d4fdf186b3761f
- 2260d015eacdc14e26be93fbc33c92aa
- d51d5e4c193617fa676154d1fe1d4802
- 912dbb9e0400987c122f73e0b11876c0
- 0f4cd9e8111d4eeda89dbe2ce08f6573
- d03fb3e473bd95c314987a1b166a92ed
- 549a06cb43563dad994b86e8f105323a
- 80149a26ee10786d6f7deaf9fb840314
- c7ced41f38b2d481d1910663a14fbec4
- 3ce6cc6dee4563eb752e55103cdb84d4
- ZIP Hashes
- 6d0241bc7d4a850f3067bc40124b3f52
- cdfde809746759074bcd8ba54eb19ccd
- 40b5976eb7ddd1d372e34908f74ba0c4
- 93c8ed2915d8a3ff7285e0aa3106073e
- 2b719eeca275228fbead4c1d3016b8e4
- EXE Hashes
- 42aec0b84a21fa36fc26b8210c197483
- 02ae44011006e358a3b1ccbd85ba01f2
- 131772a1bb511f2010da66c9c7dca32f
- 7860c138e3b8f40bfb6efec08f4a4068
- 3bcbe4d2951987363257a0612a107101
- 328aa4addb7e475c3721e2ae93391446
- 84e7b5a60cd771173b75a775e0399bc7
- 3c83b0fe45e15a2fd65ed64a8e1f65e9
- f626e64f57d3b8c840a72bbfbe9fb6ca
- fcf7a9b93cffddf0a242a8fc83845ee3
- Unpacked File Hashes
- 0988195ab961071b4aa2d7a8c8e6372d – Aphrodite
- Ae5f14478d5e06c1b2dc2685cbe992c1 – Jupiter
- 38360115294c49538ab15b5ec3037a77 – Azorult
- PDF Hashes
- Email Address
- Salessigma87@gmail[.]com
- ZIP Hosted URLs
- hxxps://we[.]tl/t-lBcWz3Rcbs
- hxxps://mega[.]nz/#!Ov41xapb!M-COPorpfcQ7j1G61afFVruLbDVwzNfujRIwERqlIQw
- hxxps://we[.]tl/t-P2Lt34YUcf
- hxxps://we[.]tl/t-7XwI9xNjQj
- hxxps://we[.]tl/t-AgAdhMTWIm
- hxxps://mega[.]nz/file/fkImWKab#zvyeMmsYgGiu-hK-FT0o4OBozg0r4gWPRUtAr6iRvwM
- hxxps://we[.]tl/t-utJr50o6uf
- hxxp://bit[.]ly/32qQFah
- hxxps://mega[.]nz/file/zsIB2aLK#pyTNpp8H4pZhpq0i7w0OB8itu3Rj_02n9BksARDrlzc
- hxxps://mega[.]nz/#!nrozSBoL!Pc5ApemPW46RC8b0kgiTIyuIa0MnQV9GDUPXGK8__LM
- hxxps://we[.]tl/t-TbbBN9VnEZ
- hxxps://mega[.]nz/#!KuRElKZT!5F_FfxkyPI7tvJ-mnL7LppAU5X5wA1XbpTM-z8DpVB8
- hxxps://mega[.]nz/file/q55WVIKB#zm3CTH6XEv63mwacATKpo2AMe7yjFmp-KpQXUBkhZJ4
- hxxp://bit[.]ly/3a3CwSX
- hxxps://we[.]tl/t-MFcMWYK7HL
- hxxps://mega[.]nz/#!Tmw0EK5Q!zSLa_Ell7Ti5sz-ca-plgqc4vZM7S813Hb9Yk5Jk81Y
- hxxps://we[.]tl/t-0NlciPHf5y
- hxxps://mega[.]nz/#!y6w1BAqS!DMfA221sRvIyqVqPNhsKMZEAtBNkjY_jLUWEmCpxMfo
- hxxps://mega[.]nz/#!j2JSwQYb!LaAP2L2WBKLU3DlR6BViQxZ4b8fsmt53Hl3RKHMfb4w
- hxxps://mega[.]nz/file/Ptp1CL6R#EvbG9Gh435cDmmXXyU1_l4dM3Bq9fP2B8VdjirGiK_c
- hxxps://we[.]tl/t-feLBFQVV1P
- hxxps://we[.]tl/t-ad5X6peqHj
- hxxps://www[.]dropbox[.]com/s/cym2723azwnb364/ADNOC%202020%20REQUEST%20FOR%20QUOTATION-REQUEST%20FOR%20TENDER%20CODE%2076384_pdf[.]zip?dl=0
- hxxps://we[.]tl/t-uwwupT1WNc
- hxxps://mega[.]nz/#!K6xgGCYJ!1cJY91IlILLrGGrDVVrkbb7vNRKL9CAFD4tB9_jP8ts
- hxxps://mega[.]nz/#!yrBGmQBA!EhgekpU4VUafMvfJKlNVFej1KsgxYWv1mfzCKXejjEc
- hxxps://we[.]tl/t-ZcyzrvcBkP
- hxxps://mega[.]nz/file/GpB3VIyS#3-tKCJ8d-y782IN0570wHMMKQ244ttzBRpUmFXh6LZQ
- hxxps://mega[.]nz/#!OvJFjQaY!UBgEDtTE_Gn4B4vYrn-d7rYeO5CBMTxt83NyXQGWh0E
- hxxps://mega[.]nz/file/G5YmjCYJ#jvqrZX2ZLXn3SAI9nzf8w6mWtxTM4_fwx7VzHdqzfqM
- hxxps://mega[.]nz/#!zygWnKAS!5kp8IWNec2HK-YPK2gk-hmLa416PZLtr6VpbNZediSk
- hxxps://mega[.]nz/#!uu40wQxJ!HXlLJw7KDJgqnpwCzgrnBt9vu_W1-FZlSIvn0JU5rDw
- hxxps://mega[.]nz/#!66hWzACL!_6klTwfD-JaSkwjWrKRIBqX1ghXr-SZGk1Utc2-VJPc
- hxxps://www[.]aljaber-llc[.]com/projects/files/ALJABER-RFQ-38982254237312018-848000071984-04-23-Rev-1[.]1[.]zip
- hxxps://we[.]tl/t-cJa4jY9Egz
- hxxps://we[.]tl/t-Out44emJ9t
- hxxps://we[.]tl/t-QuCLQY3cTh
- hxxps://we[.]tl/t-nMKuKWbMlE
- hxxps://mega[.]nz/file/f1RTVa4A#2uGmQV64RKkNYZEECYXFKjGPS-nalF2ZshufSgqsA_k
- hxxps://we[.]tl/t-oAkwGNORsR
- hxxps://we[.]tl/t-cFvm5QQlyV
- hxxps://www[.]dropbox[.]com/s/5b0bti9r6xhf3pq/ADNOC%202020%20REQUIREMENT%20TENDER%20RFQ%2056774387_PDF[.]zip?dl=0
- hxxps://we[.]tl/t-Didobux8kG
- hxxps://we[.]tl/t-FkBOHwy1ME
- hxxps://mega[.]nz/file/u7xRlS7T#I8L3NL_zi-JizZagSF-E1Gcj5I8ednV6YdqyWs5RnNo
- hxxps://we[.]tl/t-XsVO5hewBu
- hxxps://we[.]tl/t-NwSigkLd2E
- hxxps://we[.]tl/t-wQB6ioE8dL
- hxxps://we[.]tl/t-u3NL7Wnplr
- hxxps://we[.]tl/t-zC6Wz4CpfZ
- hxxps://we[.]tl/t-5wQSJsFUlC
- hxxps://we[.]tl/t-egfvdBvESW
- hxxps://we[.]tl/t-2a9aq4LJSn
- hxxps://we[.]tl/t-4BnTk2Hwiv
- hxxps://we[.]tl/t-hSqtTJDi1f
- hxxps://we[.]tl/t-1VyVEAtzAf
- hxxps://we[.]tl/t-E1iDs5Bghr
- hxxps://we[.]tl/t-YlbV0AIU5b
- hxxps://we[.]tl/t-1yLti4IfaN
- hxxps://we[.]tl/t-dGN9sRTnch
- hxxps://we[.]tl/t-spOqYklJIQ
- hxxps://we[.]tl/t-cunxjPBouY
- hxxps://we[.]tl/t-39SvbwCY2E
- hxxps://we[.]tl/t-9RVc3dflK6
- hxxps://we[.]tl/t-aBUVx3EMdx
- hxxps://we[.]tl/t-XdOjUbrcK8
- hxxps://we[.]tl/t-MkUZugwABd
- hxxps://we[.]tl/t-ikxwkPtSBi
- hxxps://we[.]tl/t-1hWeuMe1h7
- hxxps://we[.]tl/t-2L7ajlJSCG
- hxxps://we[.]tl/t-HZygDd5TUJ
- hxxps://we[.]tl/t-MtgNnMbTij