Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/19/2017
05:38 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Another Cyberattack Spotted Targeting Mideast Critical Infrastructure Organizations

Operation Copperfield appears focused on data theft and reconnaissance, Nyotron says.

Damaging attacks from second and third-tier nation-state threat actors – especially in the Middle East - could become more of a pressing issue for enterprises next year if a couple of recent incidents are any indication.

Days after FireEye reported a recent attack where a likely nation-state actor disrupted operations at a critical infrastructure facility in the Middle East, there's another report of an ominous new cyberattack campaign targeting similar organizations in the region.

This time, the warning is from Nyotron, which says it has spotted a threat actor with likely links to Saudi Arabia, Iran, or Algeria using a repurposed malware tool to target specific critical infrastructure organizations in the Middle East.

The tool, which Nyotron has dubbed Copperfield, is based on H-Worm aka Houdini, a four-year-old remote access trojan (RAT) believed to be the work of an Algerian hacker. The malware is primarily being spread via infected USB drives; once installed on a system, it uses other methods to propagate.

The operators of the Copperfield campaign have used a $25 generic crypter tool called BronCoder to change the structure and hash of the Visual Basic Script-based H-Worm so it cannot be spotted by typical signature-based anti-malware tools.

The attackers have also use a unique masquerading technique to conceal files on infected systems and replace them with identically named malicious LNK files with the same icons as the hidden files. When a user clicks on a malicious file, it executes exactly as expected, but while running malicious commands silently in background.

Like H-Worm, Copperfield uses an automation tool in Windows — Windows Script Host — to gain full control of an infected system. It then can perform tasks like collecting and transmitting system information, exfiltrating data to an external server, downloading and executing keyloggers and other malware, and updating itself.

"We believe that H-worm was an inspiration for Operation Copperfield," says Nir Gaist, Nyotron's chief technology officer. "However the Copperfield worm is significantly more sophisticated and professionally developed ... Among the core enhancements is the infection mechanism that has been introduced in the wild for the first time."

Based on the malware tool's capabilities, the main goals of Operation Copperfield appear to be data theft for the purposes of conducting reconnaissance on critical infrastructure targets, Gaist says.

'La La Land'

Nytoron spotted Copperfield activity earlier this month when its software identified and stopped the malware from causing damage on a shared workstation at one of the security vendor's Middle Eastern clients. The malware was introduced on the system via a USB drive that a night-shift worker had plugged in to watch the movie La La Land, which he had recently downloaded on it.

Gaist says Nyotron is still collecting information on the scope of the campaign and its main purpose. But the company has found infections in countries as dispersed as China, Columbia, South Korea, and Iran.

Nyotron's investigation of the incident at its client showed the attackers using a command and control server apparently based in Mecca, Saudi Arabia, to run the campaign. "The worm was designed to execute any shell command sent from the C&C, and specific commands were developed for uploading and downloading data," Gaist says.

"The spread mechanism of Operation Copperfield and previously unseen masquerading techniques, leads us to believe that the attacker, who's currently still active, is relatively sophisticated," he notes. 

Evidence suggests that the attackers are Saudi Arabia-based. But some of the language used in the malware code and previous attributions to H-Worm suggest an Iranian or an Algerian connection as well.

The Nyotron advisory comes just days after FireEye's warned about an incident where threat actors gained access to a critical safety system at an industrial facility in the Middle East and inadvertently triggered a shut down of a process there. The attacks suggest heightened cyber threat activity in the region and the growing sophistication of the groups behind it.  

In September, Palo Alto Networks reported finding a large adversary infrastructure in the Middle East comprised of numerous credential harvesting systems, C&C servers, compromised websites, and post-exploitation tools available to threat actors in the region. Another study by Trend Micro uncovered a booming underground market for malware in North Africa and the Middle East, where many sophisticated tools are being distributed for free or next to nothing to threat actors in the region.

Threat actors in mid-tier countries have acquired the capability to take on critical infrastructure and other targets in advanced nations Nytoron said in its report.

"Tier-2 and tier-3 nation states (and their for-hire agents) will mostly drive bolder actions that aim to disrupt economies of their adversaries, impact unfavorable legislation or simply create fear and uncertainty in the market and among the targeted population," the vendor noted.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9308
PUBLISHED: 2020-02-20
archive_read_support_format_rar5.c in libarchive before 3.4.2 attempts to unpack a RAR5 file with an invalid or corrupted header (such as a header size of zero), leading to a SIGSEGV or possibly unspecified other impact.
CVE-2019-20479
PUBLISHED: 2020-02-20
A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning.
CVE-2011-2498
PUBLISHED: 2020-02-20
The Linux kernel from v2.3.36 before v2.6.39 allows local unprivileged users to cause a denial of service (memory consumption) by triggering creation of PTE pages.
CVE-2012-2629
PUBLISHED: 2020-02-20
Multiple cross-site request forgery (CSRF) and cross-site scripting (XSS) vulnerabilities in Axous 1.1.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator account via an addnew action to admin/administrators_add.php; or (2) c...
CVE-2014-3484
PUBLISHED: 2020-02-20
Multiple stack-based buffer overflows in the __dn_expand function in network/dn_expand.c in musl libc 1.1x before 1.1.2 and 0.9.13 through 1.0.3 allow remote attackers to (1) have unspecified impact via an invalid name length in a DNS response or (2) cause a denial of service (crash) via an invalid ...