A cyber-espionage team, operating since at least 2012, used a legitimate tool to protect the backdoor from analytics efforts to avoid detection. In their attempt, the hackers also used a fake header.
The backdoor is referred to by the names Spark and EnigmaSpark and was developed in a recent phishing campaign that appears to be the work of the low budget Gaza Cybergang MoleRATs. He is in charge of the SneakyPastes feature, which is detailed by Kaspersky, which is based on malware hosted on free sharing services such as GitHub and Pastebin.
There is strong evidence that the team has been using this backdoor since March 2017, deploying dozens of variants that contacted at least 15 command and control domains.
Multiple cyber security researchers monitored this threat organization's campaigns and analyzed the malicious programs, tactics and infrastructure used in the attacks.
The perpetrator tried to hide the compromise using Enigma Protector software - a legitimate tool to "protect executable files from illegal copying, hacking, modification and analysis ”.
Based on the stated objectives and the subject of the bait documents, this looks like a political attack directed at Arab speakers who are interested in the possible acceptance of the Palestinian peace plan.
The infection chain that led to the installation of the backdoor EnigmaSpark began with the delivery of a malicious Microsoft Word document. The file is written in Arabic and urges the recipient to allow editing to view it. content.
The researchers found that the document obtained from a Google Drive link a malicious Word embedded with a macro to deliver the final payload "runawy.exe".
To protect the feature, hackers added some protection capabilities, such as password protection macros and application of a base64 encoding system in the backdoor, which was also stored in Google Drive.
In addition, the binary malware program was "packed" with Enigma Protector which adds some resistance to hacking and cracking efforts.
Another precaution by hackers is to use a fake header in the HTTP POST request that provides victim information to the command and control (C2) server, which was nysura. [Com. However, the header indicates 'cnet] [com' as the destination.
An X-Force (IRIS) investigation revealed that the attacker used this technique with other binaries. After "unpacking" the 'runawy.exe', they noticed that the file that resulted was the same as 'blaster.exe', a binary delivered by an executable from Themida, another legitimate tool that adds protection for inspecting or modifying an edited application.
Multiple files were discovered because they had in common the unique string "S4.4P" and the signatory cryptographic certificate "tg1678A4": Wordeditor.exe, Blaster.exe (the unpacked version of runawy.exe and soundcloud.exe), HelpPane.exe , and taskmanager.exe.
In the case of Blaster, the same trick was used with the fake host header as in the case of 'runawy', but the actual destination server was different ('webtutorialz [.] Com').
The runawy.exe binary, its C2 server, and its unique string have been previously documented by researchers at other security companies in cyberspace.
Cybereason's Nocturnus team, on February 12, released a technical analysis of the Backdoor backdoor, which describes the malware's capabilities:
- Collect information about the host victim
- Encrypt the data collected and send it to the intruders via the HTTP protocol
- Download other payloads
- Entering keys Record audio using the system's built-in microphone
- Execute commands on the infected machine
At the beginning of the month, Palo Alto Networks detailed the same payload surrounded by Enigma delivered with the help of a Word document on October 31 and November 2, 2019.
The backdoor backdoor was originally documented by researchers at Beijing-based Qi An Xin Cyber Security, with the English version of the research published on February 14, 2019.
Researchers from all of these companies attribute the backdoor Spark to the MoleRATs team, known for its use of malware available in a hacker forum. However, they also develop custom tools, such as Spark.