Attacks/Breaches

12/19/2017
05:38 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Another Cyberattack Spotted Targeting Mideast Critical Infrastructure Organizations

Operation Copperfield appears focused on data theft and reconnaissance, Nyotron says.

Damaging attacks from second and third-tier nation-state threat actors – especially in the Middle East - could become more of a pressing issue for enterprises next year if a couple of recent incidents are any indication.

Days after FireEye reported a recent attack where a likely nation-state actor disrupted operations at a critical infrastructure facility in the Middle East, there's another report of an ominous new cyberattack campaign targeting similar organizations in the region.

This time, the warning is from Nyotron, which says it has spotted a threat actor with likely links to Saudi Arabia, Iran, or Algeria using a repurposed malware tool to target specific critical infrastructure organizations in the Middle East.

The tool, which Nyotron has dubbed Copperfield, is based on H-Worm aka Houdini, a four-year-old remote access trojan (RAT) believed to be the work of an Algerian hacker. The malware is primarily being spread via infected USB drives; once installed on a system, it uses other methods to propagate.

The operators of the Copperfield campaign have used a $25 generic crypter tool called BronCoder to change the structure and hash of the Visual Basic Script-based H-Worm so it cannot be spotted by typical signature-based anti-malware tools.

The attackers have also use a unique masquerading technique to conceal files on infected systems and replace them with identically named malicious LNK files with the same icons as the hidden files. When a user clicks on a malicious file, it executes exactly as expected, but while running malicious commands silently in background.

Like H-Worm, Copperfield uses an automation tool in Windows — Windows Script Host — to gain full control of an infected system. It then can perform tasks like collecting and transmitting system information, exfiltrating data to an external server, downloading and executing keyloggers and other malware, and updating itself.

"We believe that H-worm was an inspiration for Operation Copperfield," says Nir Gaist, Nyotron's chief technology officer. "However the Copperfield worm is significantly more sophisticated and professionally developed ... Among the core enhancements is the infection mechanism that has been introduced in the wild for the first time."

Based on the malware tool's capabilities, the main goals of Operation Copperfield appear to be data theft for the purposes of conducting reconnaissance on critical infrastructure targets, Gaist says.

'La La Land'

Nytoron spotted Copperfield activity earlier this month when its software identified and stopped the malware from causing damage on a shared workstation at one of the security vendor's Middle Eastern clients. The malware was introduced on the system via a USB drive that a night-shift worker had plugged in to watch the movie La La Land, which he had recently downloaded on it.

Gaist says Nyotron is still collecting information on the scope of the campaign and its main purpose. But the company has found infections in countries as dispersed as China, Columbia, South Korea, and Iran.

Nyotron's investigation of the incident at its client showed the attackers using a command and control server apparently based in Mecca, Saudi Arabia, to run the campaign. "The worm was designed to execute any shell command sent from the C&C, and specific commands were developed for uploading and downloading data," Gaist says.

"The spread mechanism of Operation Copperfield and previously unseen masquerading techniques, leads us to believe that the attacker, who's currently still active, is relatively sophisticated," he notes. 

Evidence suggests that the attackers are Saudi Arabia-based. But some of the language used in the malware code and previous attributions to H-Worm suggest an Iranian or an Algerian connection as well.

The Nyotron advisory comes just days after FireEye's warned about an incident where threat actors gained access to a critical safety system at an industrial facility in the Middle East and inadvertently triggered a shut down of a process there. The attacks suggest heightened cyber threat activity in the region and the growing sophistication of the groups behind it.  

In September, Palo Alto Networks reported finding a large adversary infrastructure in the Middle East comprised of numerous credential harvesting systems, C&C servers, compromised websites, and post-exploitation tools available to threat actors in the region. Another study by Trend Micro uncovered a booming underground market for malware in North Africa and the Middle East, where many sophisticated tools are being distributed for free or next to nothing to threat actors in the region.

Threat actors in mid-tier countries have acquired the capability to take on critical infrastructure and other targets in advanced nations Nytoron said in its report.

"Tier-2 and tier-3 nation states (and their for-hire agents) will mostly drive bolder actions that aim to disrupt economies of their adversaries, impact unfavorable legislation or simply create fear and uncertainty in the market and among the targeted population," the vendor noted.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Cisco Talos Summit: Network Defenders Not Serious Enough About Attacks
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2018
Meet 'Bro': The Best-Kept Secret of Network Security
Greg Bell, CEO, Corelight,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12294
PUBLISHED: 2018-06-19
WebCore/platform/graphics/texmap/TextureMapperLayer.cpp in WebKit, as used in WebKitGTK+ prior to version 2.20.2, is vulnerable to a use after free for a WebCore::TextureMapperLayer object.
CVE-2018-12519
PUBLISHED: 2018-06-19
An issue was discovered in ShopNx through 2017-11-17. The vulnerability allows a remote attacker to upload any malicious file to a Node.js application. An attacker can upload a malicious HTML file that contains a JavaScript payload to steal a user's credentials.
CVE-2018-12588
PUBLISHED: 2018-06-19
Cross-site scripting (XSS) vulnerability in templates/frontend/pages/searchResults.tpl in Public Knowledge Project (PKP) Open Monograph Press (OMP) v1.2.0 through 3.1.1-1 before 3.1.1-2 allows remote attackers to inject arbitrary web script or HTML via the catalog.noTitlesSearch parameter (aka the S...
CVE-2018-10811
PUBLISHED: 2018-06-19
strongSwan 5.6.0 and older allows Remote Denial of Service because of Missing Initialization of a Variable.
CVE-2018-10945
PUBLISHED: 2018-06-19
The mg_handle_cgi function in mongoose.c in Mongoose 6.11 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash, or NULL pointer dereference) via an HTTP request, related to the mbuf_insert function.