Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/19/2017
05:38 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Another Cyberattack Spotted Targeting Mideast Critical Infrastructure Organizations

Operation Copperfield appears focused on data theft and reconnaissance, Nyotron says.

Damaging attacks from second and third-tier nation-state threat actors – especially in the Middle East - could become more of a pressing issue for enterprises next year if a couple of recent incidents are any indication.

Days after FireEye reported a recent attack where a likely nation-state actor disrupted operations at a critical infrastructure facility in the Middle East, there's another report of an ominous new cyberattack campaign targeting similar organizations in the region.

This time, the warning is from Nyotron, which says it has spotted a threat actor with likely links to Saudi Arabia, Iran, or Algeria using a repurposed malware tool to target specific critical infrastructure organizations in the Middle East.

The tool, which Nyotron has dubbed Copperfield, is based on H-Worm aka Houdini, a four-year-old remote access trojan (RAT) believed to be the work of an Algerian hacker. The malware is primarily being spread via infected USB drives; once installed on a system, it uses other methods to propagate.

The operators of the Copperfield campaign have used a $25 generic crypter tool called BronCoder to change the structure and hash of the Visual Basic Script-based H-Worm so it cannot be spotted by typical signature-based anti-malware tools.

The attackers have also use a unique masquerading technique to conceal files on infected systems and replace them with identically named malicious LNK files with the same icons as the hidden files. When a user clicks on a malicious file, it executes exactly as expected, but while running malicious commands silently in background.

Like H-Worm, Copperfield uses an automation tool in Windows — Windows Script Host — to gain full control of an infected system. It then can perform tasks like collecting and transmitting system information, exfiltrating data to an external server, downloading and executing keyloggers and other malware, and updating itself.

"We believe that H-worm was an inspiration for Operation Copperfield," says Nir Gaist, Nyotron's chief technology officer. "However the Copperfield worm is significantly more sophisticated and professionally developed ... Among the core enhancements is the infection mechanism that has been introduced in the wild for the first time."

Based on the malware tool's capabilities, the main goals of Operation Copperfield appear to be data theft for the purposes of conducting reconnaissance on critical infrastructure targets, Gaist says.

'La La Land'

Nytoron spotted Copperfield activity earlier this month when its software identified and stopped the malware from causing damage on a shared workstation at one of the security vendor's Middle Eastern clients. The malware was introduced on the system via a USB drive that a night-shift worker had plugged in to watch the movie La La Land, which he had recently downloaded on it.

Gaist says Nyotron is still collecting information on the scope of the campaign and its main purpose. But the company has found infections in countries as dispersed as China, Columbia, South Korea, and Iran.

Nyotron's investigation of the incident at its client showed the attackers using a command and control server apparently based in Mecca, Saudi Arabia, to run the campaign. "The worm was designed to execute any shell command sent from the C&C, and specific commands were developed for uploading and downloading data," Gaist says.

"The spread mechanism of Operation Copperfield and previously unseen masquerading techniques, leads us to believe that the attacker, who's currently still active, is relatively sophisticated," he notes. 

Evidence suggests that the attackers are Saudi Arabia-based. But some of the language used in the malware code and previous attributions to H-Worm suggest an Iranian or an Algerian connection as well.

The Nyotron advisory comes just days after FireEye's warned about an incident where threat actors gained access to a critical safety system at an industrial facility in the Middle East and inadvertently triggered a shut down of a process there. The attacks suggest heightened cyber threat activity in the region and the growing sophistication of the groups behind it.  

In September, Palo Alto Networks reported finding a large adversary infrastructure in the Middle East comprised of numerous credential harvesting systems, C&C servers, compromised websites, and post-exploitation tools available to threat actors in the region. Another study by Trend Micro uncovered a booming underground market for malware in North Africa and the Middle East, where many sophisticated tools are being distributed for free or next to nothing to threat actors in the region.

Threat actors in mid-tier countries have acquired the capability to take on critical infrastructure and other targets in advanced nations Nytoron said in its report.

"Tier-2 and tier-3 nation states (and their for-hire agents) will mostly drive bolder actions that aim to disrupt economies of their adversaries, impact unfavorable legislation or simply create fear and uncertainty in the market and among the targeted population," the vendor noted.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.