Middle East hit with TopHat campaign exploiting popular third party services
Middle East hit with TopHat campaign exploiting popular third party services

A wave of attacks leveraging the popular third-party services Google+, Pastebin, and bit.ly is targeting individuals and organizations within the Palestinian Territories.

Dubbed “TopHat” the campaign uses Arabic language decoy documents related to current political events to lure victims into opening the documents and subsequently infecting themselves with malware from the “Scote” family, Palo Alto Networks Unit 42 researchers said in a Jan. 26 blog post.

“The ultimate payload is a new malware family that we have dubbed “Scote” based on strings we found within the malware samples, researchers said in the post. “Scote provides backdoor access for an attacker and we have observed it collecting command and control (C2) information from Pastebin links as well as Google+ profiles.”

The malware uses bit.ly links obscured the C2 URLs so victims could not evaluate the legitimacy of the final site prior to clicking it. The attacks spotted by researchers began in early September 2017 and in a few instances, original filenames of the identified samples were written in Arabic.

Attacks are deployed using four different techniques, two of which involve malicious RTF files, one involving self-extracting Windows executables, and a final using RAR archives.

One of the a malicious RTF techniques included the use of malicious RTFs that made a HTTP request to a malicious site, while the other exploited CVE-2017-0199 a Microsoft Office/WordPad remote code execution (RCE) vulnerability that was patched by Microsoft in September 2017.

The other attack techniques made use the “Don't Kill My Cat or DKMC” DKMC attacks which enable an attacker to load a legitimate bitmap (BMP) file that contains shellcode within it and the final technique involved Self-extracting Executables files to both load a decoy document and spawn an instance of Scote.

 The malware also employs various tricks and tactics to evade detection but ultimately provides relatively little functionality to the attackers once deployed possibly because the malware is still in active development.  

The TopHat campaign has some overlap with the DustySky campaign when the attacker was identified to be submitting their files for testing purposes, according to a January 2016 Clearsky report.  DustySky has been in use since May 2015 by groups such as the the Molerats (aka Gaza cybergang) in targeted malicious email.

Researchers tracked the apparent author while they were testing the malware enabling the researchers to both note changes made over time as well as observe other malware being submitted by the author.The author was also spotted submitting files which appeared to be new variants of the DustySky Core malware.