Incident Report: Recent Incident Reportedly Targeting Saudi Arabia With Links To Greenbug and OilRig Actors

Overview

Open source reporting recently indicated new activity from the Iranian actor publicly known as Greenbug targeting Saudi Arabia. The incident used a Microsoft Excel file containing malicious macros which wrote a malicious executable and associated files to the victim machine. The executable in this instance appears to be a variant of a Trojan known as ISMAgent and uses the domain www.ntpupdateserver[.]com for command and control (C2). This domain has been previously reported as an lSMAgent C2.

In July 2017, Palo Alto’s Unit 42 reported observed overlaps between Greenbug and another Iranian actor they call OilRig. The overlap centered around a cyber espionage operation at a Middle Eastern technology organization using tactics associated with OilRig, but leveraging a variant of Greenbug’s lSMDoor malware which Palo Alto named lSMAgent. Additional public reporting on this overlap is not available, but this could indicate that OilRig and Greenbug are one in the same or two different threat groups sharing some of the same tools.

Details

Exploit Document:

  • b518cd2349b490514d1ff1a2a6ec09ec (Macros)

Dropped Files (Directory: /Users/Public/Libraries):

  • B642.txt (9e5ce9b94471f1ba58099857020105a8) 
  • OfficeServicesStatus.vbs (46f4bb9e734c64d71cd8fdc0fc9e6f73) 
  • RecordedTV.library-ms (b6f9aa44c5f0565b5deb761b1926e9b6)
  • servicereset.exe (ad5120454218bb483e0b8467feb3a20f)

C2:

  • www.ntpupdateserver[.]com

Related Infrastructure: 

  • www.adobeproduct[.]com
  • www.cdnmsnupdate[.]com
  • n.n.c.303FF7B225C14F1498A2.cdnmsnupdate[.]com
  • www.microsoft-publisher[.]com

Related Malware:

  • 5a3675ebb6a560a25c6583cae847a41e
  • 66eaef10226fb279dba64bb5948bc85b
  • 89e7e269391b5efc57842c52038485e2

Targeting:

  • Saudi Arabia

OSINT:

  • https://twitter.com/eyalsela/status/906290052141068288

Actor/Campaign:

  • Greenbug; OilRig

Related Public Reporting:

  • https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon
  • https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/