In late January 2020, X-Force IRIS began looking into a suspicious Microsoft Word downloader file: “a.docx”. Based on its similarities in tactics, techniques and procedures (TTPs), malware capabilities, and overlaps in geostrategic context and targeting, we believe that the activity is likely related to the Molerats group. It further coincides with the January 2020 JhoneRAT espionage campaign that targeted Arabic-speaking entities in the Middle East. The EnigmaSpark activity discovered by IRIS also closely aligns with “ The Spark Campaign” reported by the Cybereason ‘Nocturnus’ Team, and the Spark Backdoor reported by Palo Alto’s Unit 42. Based on the contents of the uncovered files and surrounding political events, it’s highly likely the EnigmaSpark activity targets Arabic speakers interested in Palestine’s potential acceptance of the peace plan.Īdversaries using EnigmaSpark likely relied on recipients’ significant interest in regional events or anticipated fear prompted by the spoofed content, illustrating how adversaries may exploit ongoing geopolitical events to enable malicious cyber activity. The observed EnigmaSpark campaign appears related to opposition to the recent Middle East peace plan. The recipients of these emails are lured into opening malicious attachments, enabling the actor to compromise victim environments with the potential to exfiltrate data of interest or gain the ability to take other actions in compromised environments. The files IBM X-Force IRIS uncovered suggest that attackers crafted detailed and politically charged documents, taking advantage of geopolitical developments in the Middle East. This discovery likely represents politically motivated attempts to target the network environments of entities or organizations that maintain a significant interest in or support of a new Middle East peace plan. pdb file path, and published our findings to the X-Force IRIS Enterprise Intelligence Management platform on TruSTAR in early February 2020. We named this malware “EnigmaSpark” per the Enigma Protector and the string “Spark4.2” from a. In recent analysis of malicious activity likely targeting entities based in the Middle East, IBM X-Force Incident Response and Intelligence Services (IRIS) discovered backdoor malware packed with the legitimate Enigma Protector software.
0 kommentar(er)
