Damaging attacks from second and third-tier nation-state threat actors – especially in the Middle East - could become more of a pressing issue for enterprises next year if a couple of recent incidents are any indication.
Days after FireEye reported a recent attack where a likely nation-state actor disrupted operations at a critical infrastructure facility in the Middle East, there's another report of an ominous new cyberattack campaign targeting similar organizations in the region.
This time, the warning is from Nyotron, which says it has spotted a threat actor with likely links to Saudi Arabia, Iran, or Algeria using a repurposed malware tool to target specific critical infrastructure organizations in the Middle East.
The tool, which Nyotron has dubbed Copperfield, is based on H-Worm aka Houdini, a four-year-old remote access trojan (RAT) believed to be the work of an Algerian hacker. The malware is primarily being spread via infected USB drives; once installed on a system, it uses other methods to propagate.
The operators of the Copperfield campaign have used a $25 generic crypter tool called BronCoder to change the structure and hash of the Visual Basic Script-based H-Worm so it cannot be spotted by typical signature-based anti-malware tools.
The attackers have also use a unique masquerading technique to conceal files on infected systems and replace them with identically named malicious LNK files with the same icons as the hidden files. When a user clicks on a malicious file, it executes exactly as expected, but while running malicious commands silently in background.
Like H-Worm, Copperfield uses an automation tool in Windows — Windows Script Host — to gain full control of an infected system. It then can perform tasks like collecting and transmitting system information, exfiltrating data to an external server, downloading and executing keyloggers and other malware, and updating itself.
"We believe that H-worm was an inspiration for Operation Copperfield," says Nir Gaist, Nyotron's chief technology officer. "However the Copperfield worm is significantly more sophisticated and professionally developed ... Among the core enhancements is the infection mechanism that has been introduced in the wild for the first time."
Based on the malware tool's capabilities, the main goals of Operation Copperfield appear to be data theft for the purposes of conducting reconnaissance on critical infrastructure targets, Gaist says.
'La La Land'
Nytoron spotted Copperfield activity earlier this month when its software identified and stopped the malware from causing damage on a shared workstation at one of the security vendor's Middle Eastern clients. The malware was introduced on the system via a USB drive that a night-shift worker had plugged in to watch the movie La La Land, which he had recently downloaded on it.
Gaist says Nyotron is still collecting information on the scope of the campaign and its main purpose. But the company has found infections in countries as dispersed as China, Columbia, South Korea, and Iran.
Nyotron's investigation of the incident at its client showed the attackers using a command and control server apparently based in Mecca, Saudi Arabia, to run the campaign. "The worm was designed to execute any shell command sent from the C&C, and specific commands were developed for uploading and downloading data," Gaist says.
"The spread mechanism of Operation Copperfield and previously unseen masquerading techniques, leads us to believe that the attacker, who's currently still active, is relatively sophisticated," he notes.
Evidence suggests that the attackers are Saudi Arabia-based. But some of the language used in the malware code and previous attributions to H-Worm suggest an Iranian or an Algerian connection as well.
The Nyotron advisory comes just days after FireEye's warned about an incident where threat actors gained access to a critical safety system at an industrial facility in the Middle East and inadvertently triggered a shut down of a process there. The attacks suggest heightened cyber threat activity in the region and the growing sophistication of the groups behind it.
In September, Palo Alto Networks reported finding a large adversary infrastructure in the Middle East comprised of numerous credential harvesting systems, C&C servers, compromised websites, and post-exploitation tools available to threat actors in the region. Another study by Trend Micro uncovered a booming underground market for malware in North Africa and the Middle East, where many sophisticated tools are being distributed for free or next to nothing to threat actors in the region.
Threat actors in mid-tier countries have acquired the capability to take on critical infrastructure and other targets in advanced nations Nytoron said in its report.
"Tier-2 and tier-3 nation states (and their for-hire agents) will mostly drive bolder actions that aim to disrupt economies of their adversaries, impact unfavorable legislation or simply create fear and uncertainty in the market and among the targeted population," the vendor noted.
- TRITON Attacker Disrupts ICS Operations, While Botching Attempt to Cause Physical Damage
- Malware Investigation Leads to Sophisticated Mideast Threat Network
- Cybercrime Meets Culture In Middle East, North African Underground
- 7 Indicted Iranian Nationals Now Hit with Sanctions by US Treasury