{"id":118,"date":"2019-04-02T09:50:37","date_gmt":"2019-04-02T07:50:37","guid":{"rendered":"https:\/\/192.168.10.2\/blog\/?p=118"},"modified":"2021-10-06T16:21:38","modified_gmt":"2021-10-06T14:21:38","slug":"wirte-group-attacking-the-middle-east","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/wirte-group-attacking-the-middle-east\/","title":{"rendered":"WIRTE Group attacking the Middle East"},"content":{"rendered":"\n<p>The Intelligence Development Group of <a href=\"https:\/\/s2grupo.es\/en\/home\/\">S2 Grupo<\/a>\n has carried out an investigation on an actor from whom LAB52 has not \nbeen able to find references or similarities in open sources and who has\n been identified as <strong>WIRTE<\/strong>.<\/p>\n\n\n\n<p>The DFIR (Digital Forensics and Incident Response) team of S2 Grupo \nfirst identified this actor in August 2018 and since then the follow-up \nhas been carried out during the last few months.<\/p>\n\n\n\n<p>This group attacks the Middle East and does not use very \nsophisticated mechanisms, at least in the campaign started in August \n2018 which was monitored. It is considered unsophisticated by the fact \nthat the scripts are unobtrusive, communications go unencrypted by HTTP,\n they use Powershell (increasingly monitored), and so on. Despite this \napparently unsophisticated modus operandi compared to other actors, they\n manage to infect their victims and carry out their objectives. In \naddition, as will be seen during the report, the detection rate of some \nof the scripts in December 2018 by the main antivirus manufacturers is \nlow, an aspect that must be highlighted. We must be aware that once \nthese scripts are executed, it is when the behavior analysis of many \nsolutions will detect them, but this fact has not been studied by LAB52.<\/p>\n\n\n\n<p>This actor in all the artifacts analyzed shows his victims a decoy \ndocument in Arabic with different themes. During the report these \ndocuments will be analyzed and who could be the objectives depending on \nthe topic dealt with in the document.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Technical analysis<\/h3>\n\n\n\n<p>As indicated above, during the month of August 2018 S2 Grupo CERT we \nmanaged an incident aimed at the diplomacy of different Middle Eastern \ncountries.<\/p>\n\n\n\n<p>The attackers used a malware made in Visual Basic Script (VBS) as a \ntool to control the victim. Starting from the study of this VBS from S2 \nGrupo CERT, the monitoring of this group was started, finding in other \nsources other artifacts from the same group but with different decoy \ndocuments and with different strategies of execution, persistence, and \nso on. S2 Grupo does not have enough information to make any type of \nattribution or authorship. It is associated that these artifacts are \nrelated because they reflect similarities from a technical and temporal \npoint of view and because of the decoy documents used, since sometimes \nthey are identical.<\/p>\n\n\n\n<p>One aspect observed during the investigation is that the attackers \nafter running the VBS used it as an Empire post-exploitation framework (<a href=\"https:\/\/github.com\/EmpireProject\/Empire\">https:\/\/github.com\/EmpireProject\/Empire<\/a>).<\/p>\n\n\n\n<p>A total of five scripts plus the one involved in the incident could \nbe collected. Below we detail the main characteristics of each.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Script 1: 617bbc71e5f0a645cbb8eeb6d4a1ece96ba0860c8ab5deda6a795e6ad244607a<\/h4>\n\n\n\n<p>This first file can be seen in Virus Total and has a low detection (4\/58). The last analysis took place on 12\/12\/2018.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"740\" height=\"300\" src=\"https:\/\/lab52.es\/blog\/wp-content\/uploads\/2019\/04\/wirte_img01.png\" alt=\"\" class=\"wp-image-255\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_img01.png 740w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_img01-300x122.png 300w\" sizes=\"(max-width: 740px) 100vw, 740px\" \/><\/figure><\/div>\n\n\n\n<p>In this case the file was uploaded from Palestine to Virus Total:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"740\" height=\"255\" src=\"https:\/\/lab52.es\/blog\/wp-content\/uploads\/2019\/04\/wirte_img02-1.png\" alt=\"\" class=\"wp-image-257\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_img02-1.png 740w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_img02-1-300x103.png 300w\" sizes=\"(max-width: 740px) 100vw, 740px\" \/><\/figure><\/div>\n\n\n\n<p>In the image you can see that it was uploaded through the web, from \nPS (Palestine) and also that it was uploaded for the first time on <strong>5 Aug. 2018<\/strong>.<\/p>\n\n\n\n<p>Network communication occurs over HTTP to the <strong>micorsoft[.]store<\/strong> domain to TCP\/2082 port. This domain since it exists has resolved to the following ip addresses:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>104.31.78.17<\/li><li>104.31.79.17<\/li><li>185.86.79.243<\/li><\/ul>\n\n\n\n<p>Currently resolves to a Cloudflare address. Port 2082 is one of the \nports allowed by Cloudflare for HTTP traffic. It should be noted that \nthe first IP address 185.86.79.243 is geolocated in Ukraine. This IP \naddress has been assigned to different domains, among them the malicious\n one.<\/p>\n\n\n\n<p>Apparently the attackers changed their IP address and hid behind Cloudflare at some point.<\/p>\n\n\n\n<p>In this script this communication information is all in the <strong>RunPld() function<\/strong>. This function aims to download the powershell code from the command and control server and execute it:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"740\" height=\"415\" src=\"https:\/\/lab52.es\/blog\/wp-content\/uploads\/2019\/04\/wirte_cod01.png\" alt=\"\" class=\"wp-image-258\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_cod01.png 740w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_cod01-300x168.png 300w\" sizes=\"(max-width: 740px) 100vw, 740px\" \/><\/figure><\/div>\n\n\n\n<p>Another common function in these scripts is the writeDOC function. \nThis function decodes the decoy document, write it to disk and show it \nto the victim. This document is encoded in base64 and embedded in the \nscript itself in a variable.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"740\" height=\"327\" src=\"https:\/\/lab52.es\/blog\/wp-content\/uploads\/2019\/04\/wirte_cod02.png\" alt=\"\" class=\"wp-image-259\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_cod02.png 740w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_cod02-300x133.png 300w\" sizes=\"(max-width: 740px) 100vw, 740px\" \/><\/figure><\/div>\n\n\n\n<p>The VBS script copies itself to APPDATA through the <strong>copyVBS()<\/strong> function:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"740\" height=\"152\" src=\"https:\/\/lab52.es\/blog\/wp-content\/uploads\/2019\/04\/wirte_cod03.png\" alt=\"\" class=\"wp-image-260\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_cod03.png 740w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_cod03-300x62.png 300w\" sizes=\"(max-width: 740px) 100vw, 740px\" \/><\/figure><\/div>\n\n\n\n<p><strong>The script itself does not establish persistence<\/strong> in \nits first execution, so either the attackers deploy it later when they \nexecute powershell or fix it by transporting this script. The script \nonce copied to APPDATA will have the following name: <strong>Update.vbs<\/strong>.<\/p>\n\n\n\n<p>On the other hand, if the script is running from APPDATA it does not \nshow the document and only executes the RunPld() function which is the \nbackdoor in powershell and that has been detailed previously. If it is \nnot being executed from APPDATA it shows the DOC file \u201cdecoy\u201d, it copies\n and executes the backdoor (script in powershell).<\/p>\n\n\n\n<p>When the victim executes the VBS file, a Word document will be opened\n with the following content (you can see on the left in Arabic and next \nto it the translation made by Google Translate):<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"740\" height=\"465\" src=\"https:\/\/lab52.es\/blog\/wp-content\/uploads\/2019\/04\/wirte_en_img01.png\" alt=\"\" class=\"wp-image-261\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_en_img01.png 740w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_en_img01-300x189.png 300w\" sizes=\"(max-width: 740px) 100vw, 740px\" \/><\/figure><\/div>\n\n\n\n<p>The document we have shown is intended to simulate that it was sent  from the Ministry of Foreign Affairs of Saudi Arabia. Presumably, it  seems that the addressee was the Ministry of Awqaf and Islamic Affairs  of Kuwait, since (Kuwait \u2013 Jeddah) appears in the very signature of the  document. It was also apparently addressed to the Kuwaiti Consulate of  the Cooperation Council of the Arab States of the Gulf, a highly  important body within the countries of the Persian Gulf.<\/p>\n\n\n\n<p>The text mentions that attached, the recipient will find a document \nfrom the Saudi Ministry of Foreign Affairs called \u201cHajj affairs\u201d, which \nis of interest to all those Arab countries that have citizens who have \ninterests in carrying out the pilgrimage to the Mecca. In addition, it \nencourages recipients to forward the document to other government \norganizations in countries with interests linked to the \u201cHajj\u201d that have\n been approved by the same Ministry of Culture of Saudi Arabia. \nPresumably, the author intends to generate an infection among the \n\u201cpartner states\u201d of Saudi Arabia; <strong>the \u201ctarget\u201d of the issuer could be the members of the diplomatic corps of countries with interest in the \u201cHajj\u201d <\/strong>\n and especially the diplomats who are part of the Cooperation Council of\n the Arab States of the Gulf, since the issuer promotes the forwarding \nof the document to all interested parties.<\/p>\n\n\n\n<p>There are five fundamental pillars within the religion of Islam. One \nof them is the \u201cHajj\u201d, which implies that all Muslims must visit Mecca \nat least once in their lifetime. This monument is located in the Jeddah \nregion within Saudi Arabia. <strong>The \u201cHajj\u201d is significantly relevant to Muslims around the world<\/strong>. Consequently, this text is attractive and of interest to both Shi\u2019ite and Sunni Muslims.<\/p>\n\n\n\n<p><strong>The date of issuance of the document is relevant<\/strong> as \nit was held in August, approximately two weeks before the great \npilgrimage, just when thousands of people of Muslim faith would begin \nthe pilgrimage to Jeddah in Saudi Arabia. Consequently, the chances of a\n possible victim opening the document increase significantly.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Script 2: b4c20b56059a6c6762b4c99d04eb9177cb0a4707c58ef575817fb8b702f162aa<\/h4>\n\n\n\n<p>This file in Virus Total has a low detection, 2\/56, and the last analysis took place on 1 Dec. 2018.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"740\" height=\"221\" src=\"https:\/\/lab52.es\/blog\/wp-content\/uploads\/2019\/04\/wirte_img04.png\" alt=\"\" class=\"wp-image-262\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_img04.png 740w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_img04-300x90.png 300w\" sizes=\"(max-width: 740px) 100vw, 740px\" \/><\/figure><\/div>\n\n\n\n<p>In this case the file has been uploaded from Palestine to Virus Total:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"740\" height=\"256\" src=\"https:\/\/lab52.es\/blog\/wp-content\/uploads\/2019\/04\/wirte_img05.png\" alt=\"\" class=\"wp-image-263\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_img05.png 740w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_img05-300x104.png 300w\" sizes=\"(max-width: 740px) 100vw, 740px\" \/><\/figure><\/div>\n\n\n\n<p>In the image you can see that it was uploaded through the web, from \nPS (Palestine) and also that it has been uploaded for the first time on <strong>08\/25\/2018<\/strong>.<\/p>\n\n\n\n<p>The network communication in this case is also produced by HTTP to the domain <strong>micorsoft[.]store<\/strong> to the port tcp\/2082.<\/p>\n\n\n\n<p>In this case the script has exactly the same code as the hash \n\u201c617bbc71e5f0a645cbb8eeb6d4a1ece96ba0860c8ab5deda6a795e6ad244607a\u201d. The \nonly thing that varies is the decoy document that we can see below:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"740\" height=\"255\" src=\"https:\/\/lab52.es\/blog\/wp-content\/uploads\/2019\/04\/wirte_img06.png\" alt=\"\" class=\"wp-image-264\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_img06.png 740w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_img06-300x103.png 300w\" sizes=\"(max-width: 740px) 100vw, 740px\" \/><\/figure><\/div>\n\n\n\n<p>The information presented in the document is directly related to \nsecurity issues and internal political affairs of Palestine. The main \nactors mentioned in the text are Hamas, Al Fatah and the Palestinian \ngovernment. The information is an analytical summary of the current \npolitical situation in Palestine and even analyzes in geostrategic terms\n some current aspects. In addition, the document informs about the \npotential political strategies that the previously mentioned actors \ncould undertake in the future. This type of information is highly \nrelevant for <strong>diplomats with political interests in the geographical area of Gaza and Palestine<\/strong>.\n Consequently, it might be feasible for the document\u2019s target audience \nto be diplomats, politicians and professionals from the defense sector.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Script 3: b906f3c19c19e1b20b2d00bfb82b5453d5386d63b4db901ecade0f33dd38326a<\/h4>\n\n\n\n<p>This file in Virus Total has a low detection, 3\/56, and the last analysis took place on 1 Dec. 2018.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"740\" height=\"235\" src=\"https:\/\/lab52.es\/blog\/wp-content\/uploads\/2019\/04\/wirte_img07.png\" alt=\"\" class=\"wp-image-265\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_img07.png 740w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_img07-300x95.png 300w\" sizes=\"(max-width: 740px) 100vw, 740px\" \/><\/figure><\/div>\n\n\n\n<p>In this case the file was uploaded from Sweden to Virus Total:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"740\" height=\"283\" src=\"https:\/\/lab52.es\/blog\/wp-content\/uploads\/2019\/04\/wirte_img08.png\" alt=\"\" class=\"wp-image-266\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_img08.png 740w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_img08-300x115.png 300w\" sizes=\"(max-width: 740px) 100vw, 740px\" \/><\/figure><\/div>\n\n\n\n<p>In the image you can confirm that it has been uploaded by the \ncommunity, from SE (Sweden) and also that it has been uploaded for the \nfirst time on <strong>6 Nov. 2018<\/strong>.<\/p>\n\n\n\n<p>The network communication in this case is also produced by HTTP to the <strong>micorsoft[.]store<\/strong> domain to the TCP\/2082 port.<\/p>\n\n\n\n<p>In this case the script has exactly the same code as the previous \ntwo; the decoy document is identical to \n\u201c617bbc71e5f0a645cbb8eeb6d4a1ece96ba0860c8ab5deda6a795e6ad244607a\u201d, \nvarying only from where it was uploaded and the dates regarding the \nfirst one.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Script 4: 3d4a9466e9428ccb1cde05336f5366b29c7e5ae454ddaa4aa28c75c504c13d96<\/h4>\n\n\n\n<p>This file in Virus Total has a low detection, 8\/56, and the last \nanalysis took place on 12\/12\/2018. We can see that this document has a \nhigher detection to the rest, although it is certain that some were not \nre-analyzed on December 12th.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"740\" height=\"270\" src=\"https:\/\/lab52.es\/blog\/wp-content\/uploads\/2019\/04\/wirte_img09.png\" alt=\"\" class=\"wp-image-267\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_img09.png 740w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_img09-300x109.png 300w\" sizes=\"(max-width: 740px) 100vw, 740px\" \/><\/figure><\/div>\n\n\n\n<p>In this case the file was uploaded from Palestine to Virus Total:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"740\" height=\"288\" src=\"https:\/\/lab52.es\/blog\/wp-content\/uploads\/2019\/04\/wirte_img10.png\" alt=\"\" class=\"wp-image-268\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_img10.png 740w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_img10-300x117.png 300w\" sizes=\"(max-width: 740px) 100vw, 740px\" \/><\/figure><\/div>\n\n\n\n<p>In the image you can see that it was uploaded through the web, from \nPS (Palestine) and also that it was uploaded for the first time on <strong>08\/25\/2018<\/strong>. The upload date matches the hash date \u201cb4c20b56059a6c6762b4c99d04eb9177cb0a4707c58ef575817fb8b702f162aa\u201d.<\/p>\n\n\n\n<p>The network communication in this case is produced by HTTP to the domain <strong>office365-update[.]co<\/strong>\n to TCP\/2082 port. This hash changes the domain and then the structure \nof the script is different from the others, although it maintains \nfunctions and similarities with the rest.<\/p>\n\n\n\n<p>The ip addresses to which the domain has resolved are:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>104.24.108.64<\/li><li>104.24.109.64<\/li><\/ul>\n\n\n\n<p>In this case, the domain has always resolved to CloudFlare and it has\n not been observed that it has resolved to another IP address as in the \nprevious case.<\/p>\n\n\n\n<p>The main of the script is simple and we are going to review its flow:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"740\" height=\"141\" src=\"https:\/\/lab52.es\/blog\/wp-content\/uploads\/2019\/04\/wirte_cod04.png\" alt=\"\" class=\"wp-image-269\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_cod04.png 740w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_cod04-300x57.png 300w\" sizes=\"(max-width: 740px) 100vw, 740px\" \/><\/figure><\/div>\n\n\n\n<p>We are going to see what logic each of the functions has.<\/p>\n\n\n\n<p>The first function that we find is <strong>writeTXT()<\/strong>:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"740\" height=\"423\" src=\"https:\/\/lab52.es\/blog\/wp-content\/uploads\/2019\/04\/wirte_cod05.png\" alt=\"\" class=\"wp-image-270\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_cod05.png 740w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_cod05-300x171.png 300w\" sizes=\"(max-width: 740px) 100vw, 740px\" \/><\/figure><\/div>\n\n\n\n<p>The function it does is to save, in a file named sys.txt and in a \npath set from the script, the content of the fileContent variable that \nis part of a powershell script. It should be noted that the \nwrite-to-file function used is <strong>wirte<\/strong>File(), which as \ncan be seen has produced a typographical error that has been seen in \nseveral of the scripts that implement this functionality.<\/p>\n\n\n\n<p>The function <strong>writeSCT()<\/strong>:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"740\" height=\"274\" src=\"https:\/\/lab52.es\/blog\/wp-content\/uploads\/2019\/04\/wirte_cod06.png\" alt=\"\" class=\"wp-image-271\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_cod06.png 740w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_cod06-300x111.png 300w\" sizes=\"(max-width: 740px) 100vw, 740px\" \/><\/figure><\/div>\n\n\n\n<p>The function creates an SCT (scriptlet) file on disk to execute \nthrough the JScript language a powershell whose code is in the TXT file \nwritten by the writeTXT() function.<\/p>\n\n\n\n<p>Regsvr32.exe is used to trigger the execution:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"740\" height=\"142\" src=\"https:\/\/lab52.es\/blog\/wp-content\/uploads\/2019\/04\/wirte_cod07.png\" alt=\"\" class=\"wp-image-272\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_cod07.png 740w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_cod07-300x58.png 300w\" sizes=\"(max-width: 740px) 100vw, 740px\" \/><\/figure><\/div>\n\n\n\n<p>The writeDOC() function performs the same logic as in the hash \n\u201c617bbc71e5f0a645cbb8eeb6d4a1ece96ba0860c8ab5deda6a795e6ad244607a\u201d and \nwhich has already been explained.<br>\nIn this case the decoy document shown to the victim is the same as that \npresented in \n\u201cb4c20b56059a6c6762b4c99d04eb9177cb0a4707c58ef575817fb8b702f162aa\u201d.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Script 5: 4f5d633604b8a3cceb7d582bab640d47e8a5898458c5c2f0e28adcdf01aabf33<\/h4>\n\n\n\n<p>This file has a higher detection rate than the previous ones: you can see that 20\/58 antivirus identify it as harmful.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"740\" height=\"403\" src=\"https:\/\/lab52.es\/blog\/wp-content\/uploads\/2019\/04\/wirte_img11.png\" alt=\"\" class=\"wp-image-273\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_img11.png 740w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_img11-300x163.png 300w\" sizes=\"(max-width: 740px) 100vw, 740px\" \/><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"740\" height=\"295\" src=\"https:\/\/lab52.es\/blog\/wp-content\/uploads\/2019\/04\/wirte_img12.png\" alt=\"\" class=\"wp-image-274\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_img12.png 740w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_img12-300x120.png 300w\" sizes=\"(max-width: 740px) 100vw, 740px\" \/><\/figure><\/div>\n\n\n\n<p>In the image you can see that it has been uploaded through API, from \nthe US and also that it has been uploaded for the first time on <strong>2 Sept. 2018<\/strong>. The date of upload is after the artifacts uploaded from Palestine, but close in time.<\/p>\n\n\n\n<p>In this case you can see a reference to this script in a tweet (<a href=\"https:\/\/twitter.com\/ItsReallyNick\/status\/1036687952544448512\">https:\/\/twitter.com\/ItsReallyNick\/status\/1036687952544448512<\/a>) by Nick Carr (@ItsReallyNick), where he details all the technical aspects of the script:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"220\" height=\"300\" src=\"https:\/\/lab52.es\/blog\/wp-content\/uploads\/2019\/04\/wirte_img13.png\" alt=\"\" class=\"wp-image-275\"\/><\/figure><\/div>\n\n\n\n<p>By viewing the tweet thread we can see how they indicate that in this\n case runs a VBScript #Houdini RAT and that the command and control \nserver is hxxp: \/\/149.28.14[.]103:535\/ is-ready.<\/p>\n\n\n\n<p>When looking for which domains have resolved to this IP address it is\n observed that the only one categorized as malware is related to \nspdns.de and searching for this domain name we come to the analysis <a href=\"https:\/\/gist.github.com\/JohnLaTwC\/ccdcbeb85649ef9feaae045482d694b9\">https:\/\/gist.github.com\/JohnLaTwC\/ccdcbeb85649ef9feaae045482d694b9<\/a>\n (from @ JohnLaTwC) that shows how this domain is configured with port \n535 and with HTTP requests from RAT Houdini. The domain was resolving to\n IP addresses until <strong>August 30, 2018<\/strong>.<\/p>\n\n\n\n<p>The fact that in this case the actor uses a Houdini varies from the \nrest of VBS found, which based their execution on a powershell script \nthat received commands from a remote server and executed them, but even \nso there are several aspects that lead us to think that it is the same \nactor:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>\u2022 There are matching function names: writeTXT, writeDOC, wirteFile \n(this is a very important indicator since it is the same typographical \nerror).<\/li><li>\u2022 Then writeDOC has the same logic and, besides, the decoy document is also in Arabic.<\/li><\/ul>\n\n\n\n<p>In this case the decoy document is different from the previous ones, so everything presupposes that the objective is different:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"740\" height=\"575\" src=\"https:\/\/lab52.es\/blog\/wp-content\/uploads\/2019\/04\/wirte_img14.png\" alt=\"\" class=\"wp-image-276\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_img14.png 740w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_img14-300x233.png 300w\" sizes=\"(max-width: 740px) 100vw, 740px\" \/><\/figure><\/div>\n\n\n\n<p>The document refers to information related to the Security Forces in \nthe territory of northern Gaza involved in defending of the border. The \ninformation refers to an accreditation and decoration by Palestinian \ngovernmental authorities for their members of the law enforcement and \nsecurity forces. The target of this malicious document could be <strong>soldiers, police, professionals linked to the Ministry of Defense and members of the diplomatic corps in Gaza<\/strong>.\n The current government within the Gaza Strip is Hamas, a party that has\n a military arm considered by different countries as a terrorist group.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Indicators of compromise<\/h3>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"740\" height=\"227\" src=\"https:\/\/lab52.es\/blog\/wp-content\/uploads\/2019\/04\/wirte_img15.png\" alt=\"\" class=\"wp-image-277\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_img15.png 740w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/wirte_img15-300x92.png 300w\" sizes=\"(max-width: 740px) 100vw, 740px\" \/><\/figure><\/div>\n","protected":false},"excerpt":{"rendered":"<p>The Intelligence Development Group of S2 Grupo has carried out an investigation on an actor from whom LAB52 has not been able to find references or similarities in open sources and who has been identified as WIRTE. The DFIR (Digital Forensics and Incident Response) team of S2 Grupo first identified this actor in August 2018 [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":404,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[1],"tags":[],"class_list":{"0":"post-118","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-uncategorised","8":"entry"},"featured_image_src":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/Captura-mezquita-600x400.png","featured_image_src_square":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/04\/Captura-mezquita-600x443.png","author_info":{"display_name":"Dex","author_link":"https:\/\/lab52.io\/blog\/author\/dex\/"},"_links":{"self":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/118"}],"collection":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/comments?post=118"}],"version-history":[{"count":6,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/118\/revisions"}],"predecessor-version":[{"id":1142,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/118\/revisions\/1142"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media\/404"}],"wp:attachment":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media?parent=118"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/categories?post=118"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/tags?post=118"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}