About a dozen Saudi Arabian agencies were singled out for spearphishing attacks aimed at placing cyberespionage malware on government computers using an infected Word document.
The attack was spotted by Malwarebytes when the company's cybersecurity software was triggered, the company said in a blog post. Malwarebytes would not name the agencies involved nor speculate on the origin of the attacks because the situation is still evolving, a spokesperson told SC Media. Plus, the company is unable to say what the attackers are after.
“The malware is designed to mine/steal files from the victim machine, and send them encrypted to a couple of servers,” a company spokesperson said.
Late last year, an attack on Saudi Arabia using Shamoon data-wiping malware was attributed to Iran, the same malware that was used in 2012 to destroy 35,000 computers in that country. Those attacks primarily targeted the Saudi energy sector.
As with most spearphishing attacks, this one uses a social engineering scheme to convince the recipient to not only open the attached Word doc, but to enable the macros setting – effectively bypassing the built-in security that would have halted the attack.
Once the document is opened, an executable is dropped and run with the main payload being neuro_client.exe which the malware renames Firefox-x86-ui.exe in an attempt to obfuscate the attack code.