Recently, while monitoring an infected system we uncovered activity that showed a good example of attackers selectively emailing malware to a specific group (in this case a country).
After conducting analysis of the threat, network traffic, and hosts involved, we believe that the attackers were directly targeting companies located in the Middle East—Saudi Arabia, to be exact.
In the following examples we can see the sequence of events leading up to the spear phishing as well as the tactics used to seek out targets for the attack (aka the “reconnaissance”).
Figure 1 shows an infected system making a series of interesting HTTP requests.
Looking at the HTTP requests, we can see that one of the requests is for the location of a text file as shown here in Figure 2.
Figure 3 shows us the contents of the text file, and it appears to be a list of email account credentials.
The next request again seeks a .txt file, "key_link.txt," and this is where it starts to get really interesting.
The value for “key” is a search string, and as Figure 4 above shows, we can see the value is .sa. In this case, .sa is the tld suffix for Saudi Arabia.
What happens next is quite interesting. The infected system initiates a series of Bing searches on the site www.skymem.com.
www.skymem.com dubs itself as a "service for extracting emails and other data from text." Looking through some of the "other" data hosted on skymem.com, it becomes evident that the site is being used for more than just innocently extracting emails from text.
How could Skymem.com be used (or abused) by spammers or attackers?
In order to search out and harvest emails from skymem.com, the spammers (or attackers) simply craft a Bing query. In this case the attacker is looking for the string ".sa" inside of the www.skymem.com site. (Remember that "key=.sa" from Figure 4 earlier.)
After harvesting emails from skymem.com, it’s time to start the phishing.
In Figure 8, we can see that <victim>@<somewhere>.com.sa is the recipient. A common social engineering tactic is employed as can be seen in the message body of the email:
You have exceeded your
email limit quota.
Failure to recover
your quota may result in loss of important Information.
You need to delete any
SPAMs manually or simply employ the cleaning tools automatically.
Thank you for using
Copyright 2012 Webmail
As Figure 9 shows, the email is attempting to deliver the attached file "AutoCleanTool.rar"—which as you probably guessed would result in a malware infection.
Looking closer at the email address and domain in the attack, we see that it belongs to someone in an HR/Recruiting role at a large Saudi Arabia-based contracting services firm.
Ironically enough, this company’s client list includes some well-known Saudi Arabia-based oil and energy companies, one of which was the victim of a recent large-scale breach.
In this example of an attack we saw how the attackers leveraged publicly available search engines and 'sketchy' data warehouses to seek out potentially high value targets for delivering malicious payloads. People behind this attack can change the target of the attack at will in a greatly automated fashion, all leading to a more flexible infrastructure for advanced malware to fulfill their mission.