Vectra Threat Labs researchers have uncovered the activities of a group of individuals currently engaged in targeted attacks against entities in the Middle East. We identified over 200 samples of malware generated by the group over the last two years. These attacks are themed around Middle Eastern political issues and the motivation appears to relate to espionage, as opposed to opportunistic or criminal intentions.
These are not technically sophisticated attackers. However, they do deploy some novel tactics, detailed below, and the implications of these attacks could be significant. Both the tools and targets of Moonlight are reminiscent of “Gaza Hacker Team,” a group of attackers that are said to be politically aligned to the Hamas. In spite of these commonalities, we have not identified any firm links between the two groups.
We refer to this group of attackers as Moonlight, after the name the attackers chose for one of their command-and-control domains.
Vectra Networks worked with providers to sinkhole Moonlight’s command-and-control infrastructure. The hosts seen via our sinkhole show a clear targeting of Middle Eastern victims:
Figure 1: Moonlight’s victims of attacks
Most of these victims are connecting from home networks, and are therefore unidentifiable, though one notable victim is a Palestinian news organization.
Vectra believes the victims from the United States and China are outliers. These infected machines were primarily from university networks and were likely either security researchers sandboxing malware or overseas students targeted for links to their homeland.
Indirect targeting data from to the online virus scanning site VirusTotal, and traffic statistics from the URL linking services the attackers use indicate many of these attacks are targeted towards either small groups or individual targets:
Figure 2: The statistics show one of the attacker’s malicious files, registering only two clicks
The attackers name their malware as documents of interest to their victims, to entice them to open them. The malicious decoy documents display themes relevant to Middle Eastern politics, and provide some indication as to who the intended targets may be:
- Assassination of Talal of Jordan YouTube.exe
- Audio recording of the meeting of Egyptian Emirati. MP3.exe
- Brigadier Alleno behind moral projection of Zakaria al-Agha.docx.exe
- Fatah foreign conspiracies.exe
- Wapons and ammunition stores found while digging a waterway in Egyptian Rafah.exe
- Hamas and Fatah agree to the following.exe
- Hamas and the Egyptian army.exe
- Hamas and the Salafist jihadist in the Gaza Strip.scr
- Hamas Betrayal.exe
- Important leaking security meeting Arab Emirates.exe
- Leaked audio recording of the meeting of Egyptian security Emirates.mp3.exe
- Leaking important Arab Emirates security meeting.mp3.exe
- Meeting of the Executive Committee of the PLO.exe
- President sources oust Fatah leadership in Gaza and the cost Abu Samhadana to lead the organization.doc.exe
- Sawiris and the project of the Suez Canal.exe
- Sinai Bombings.docx.exe
- The full truth behind Abu Ghussains disease.exe
- The grandson of President Abbas in the festival of love, and what response was Mr. Samir Mashharawi him.exe
- The names of the perpetrators of the bombings in the Gaza Strip.exe
- The son of Mufti takfiri Hamas fist anti-drug police.docx.exe
Moonlight demonstrates that 0-days, or even exploits, aren’t required to successfully compromise machines. Instead, they show a preference for the classic social engineering approach of sending e-mails with attachments or links to files with the filename [legitimate file-extension].exe, for example:
- Secrets documents Panama.docx.exe
- Audio recording of the meeting of Egyptian Emirati.mp3.exe
Moonlight typically makes good on the promised theme of the lures, and present the victim with a relevant “decoy document”:
Figure 3:"Meeting of the Executive Committee of the PLO" - Decoy documents opened on victim machines by the malware
Figure 4: Decoy video about women trafficked to Syria
Impersonated new organizations
The attackers typically deploy malicious files via shortened URLs, presumably to look more innocuous. Many of the links and domains impersonate Middle Eastern media organizations such as Eln News and Wattan TV:
One domain impersonating the media, Alwatenvoice[.]com, also hosts “landing pages” to encourage victims to download the malware, described below.
One Facebook user has shared a number of posts from the malicious Alwatenvoice[.]com:
Figure 5: Two pages containing malware shared by the user on Facebook
The second post is of particular interest. The Facebook information box says the article is from All4Syria[.]info, a popular independent news outlet reporting on Syria, but in fact it leads to Alwatenvoice[.]com:
Figure 6: The link to All4Syria[.]info that actually leads to Alwatenvoice[.]com
The user is then presented with a page that looks very much like the real All4Syria website:
Figure 7: The malicious page on Alwatenvoice[.]com on the left, and the legitimate site All4Syria[.]nfo on the right
If a user clicks “play,” they are asked to download malware named شبكات الدعارة السورية.mp4.exe (“Syrian Prostitution Rings.mp4.exe”).
The profile posting these malicious links has a very small number of public posts. The first post from 2015 shows the user setting their wallpaper to the logo of Fatah. There are two celebrations of Facebook friendship displayed publicly, one of whom can be identified from the name and Facebook profile information. Their details match that of a senior Fatah militant who Reuters reported was targeted for assassination during violent struggles between Hamas in Fatah in 2007.
We would stress that even if the account is controlled by the attackers it could be an account that they have compromised, or impersonates an innocent and unconnected person. It is also possible that the account sharing the malicious links belongs to a user who is unknowingly spreading malicious content.
Moonlight typically delivers an obfuscated version of the widely available H-Worm, a malicious Visual Basic Script worm, as their first stage backdoor. Moonlight deploy an ever-changing range of deployment scripts to evade anti-virus software. Many of these use basic scripts within self-extracting RAR archives to install the malware:
Figure 8: Some of the malicious scripts used by Moonlight to deploy H-Worm
In these excerpts, we see the Moonlight make some strange choices in deploying their malware such as:
- Opening a decoy document from the Windows System folder
- Preventing users from deleting any files (including the installed malware) from the C:\temp\ folder
There is a large amount of variation in the scripts used to install malware, and it’s likely that the large number of samples have been produced by hand, rather than a more productionised process of using build tools that is preferred by more sophisticated groups.
Records to URLs that users have submitted to VirusTotal record the attackers installing additional malware using the access they gained with the first stage H-Worm malware. Examples of this are recorded in URLs submitted to VirusTotal for the domain fun2[.]dynu.com:
As with earlier stages, the attackers employ a number of methods to deploy the well-known njRat which seems to vary from sample to sample. In one example the malware stores a program within a base64 compressed blob. This is then loaded into memory, and executed using EntryPoint.Invoke():
Figure 9: An example loader for njRat deployed by Moonlight
The 24 Kb of code this decodes to is another .NET application – njRat. Other droppers also decrypt the blob, before it is executed. Both njRat and code obfuscators such as this are freely available, and there are a plethora of tutorials available online to help budding hackers use them with limited technical knowledge.
A significant operation
Moonlight’s command-and-control infrastructure is very simple. It consists of dynamic domains controlled via home internet connections in the West Bank of Palestine. We were surprised to identify a very large number of varied malware samples (over 200) attached to this simple infrastructure:
Figure 10: Moonlight’s infrastructure
The earliest attacks appear to be non-targeted, opportunistically inviting victims to click links on Youtube videos and social media posts typical of Middle-Eastern “hacktivists.” Later attacks appear to target particular groups or individuals. Moonlight’s usage of the Google URL shortening service allows us to roughly compare attacks over time:
Figure 11: One attack from December 2014 (left), and one from December 2015 (right)
Who are the attackers?
In general, the assigned IP-location of command and control servers is a poor indication of attacker locations. However, in this case the provided locations of home networks in the Gaza strip are likely to be accurate and fits with other details from the attacks. The attackers also demonstrate low operational security, particularly in their earlier attacks. Domain Whois records and social media posts provide strong ideas as to the identities of some of those involved. It would not be prudent to publish the identities of the possible attackers in a conflict zone.
Perhaps a more interesting question is "What are the attackers’ aims?" Or if they are being directed, who is ultimately funding and tasking them?
Attacks such as these are often overlooked due to their low technical sophistication. But the stakes of these attacks are high, even if the attacker skill level is low. If the motivation behind these attacks is indeed political, the consequences could mean loss of life. Violence between rival political factions in Palestine has resulted in the deaths of hundreds of people.
Individuals and organizations outside of the Middle East are unlikely to encounter the attacks by Moonlight. However, the tools and techniques deployed are typical of low-skilled but determined attackers within the Middle East and serve as an example of the kinds of attacks that often slip through. Moonlight’s strategy of obfuscating well known malware appears to be fairly successful at evading host-based security mechanisms. The network communications of the well-known malware families such as H-Worm and njRat should still trigger existing network signature base detection tools.
Vectra customers are protected through the following generic detections:
- Suspicious HTTP – Provides generic detection of HTTP based malware such as H-Worm
- External Remote Access –Provides generic detection of RATs such as njRat
- Malware Update – Provides generic detection of secondary malware over HTTP(S)
Security professionals can review the Appendix for a full listing of file-hashes and domains employed in these attackers.
Vectra Threat Labs operates at the precise intersection of security research and data science. We take unexplained phenomena seen in customer networks and dig deeper to find the underlying reasons for the observed behavior.
Any traffic to the following domains on your network should be investigated. Please note that many of these domains have been sinkholed by Vectra .