Threat Research

Desert Dexter. Attacks on Middle Eastern countries

PTsecurity-ESC
Desert Dexter. Attacks on Middle Eastern countries

This article discusses a malicious campaign by a threat actor named “Desert Dexter,” which targets victims in the Middle East and North Africa through fake news posts on social media to distribute a modified version of AsyncRAT malware. Approximately 900 victims have been identified, with a focus on countries like Egypt, Libya, and Saudi Arabia. The attackers utilize various techniques to bypass ad filtering and exploit geopolitical tensions to lure victims into executing malicious files. Affected: Middle East, North Africa, individuals in oil, construction, IT, agriculture sectors

Keypoints :

  • The campaign is attributed to the group “Desert Dexter,” targeting the Middle East and North Africa.
  • Attackers use social media for malware distribution, taking advantage of geopolitical tensions.
  • Victims are led to malware hosted on file-sharing services or through Telegram channels.
  • Approximately 900 victims have been identified across several countries.
  • The malware includes a modified version of AsyncRAT that targets cryptocurrency credentials.
  • The attackers simulate legitimate media to promote their malicious links.
  • Various scripting methods, including PowerShell and VBS, are employed in the attack.
  • The campaign shows advancement from earlier similar campaigns described in 2019.

MITRE Techniques :

  • T1585.001 – Establish Accounts: Social Media Accounts – Desert Dexter creates channels on Facebook and Telegram resembling news agencies.
  • T1588.001 – Obtain Capabilities: Malware – The group modifies AsyncRAT to communicate with a Telegram bot.
  • T1608.001 – Stage Capabilities: Upload Malware – Malicious archives are uploaded to files.fm or Telegram channels.
  • T1608.006 – Stage Capabilities: SEO Poisoning – Utilizes Facebook’s advertising to attract victims.
  • T1566.002 – Drive-by Compromise – Provides links to RAR archives through ads.
  • T1204.002 – User Execution: Malicious File – Tricks victims into opening BAT or JS scripts within RAR files.
  • T1059.001 – Command and Scripting Interpreter: PowerShell – Used for persistence and data collection.
  • T1059.003 – Command and Scripting Interpreter: Windows Command Shell – Utilizes BAT scripts during the attack.
  • T1059.005 – Command and Scripting Interpreter: Visual Basic – Employed in the attack’s intermediate stages.
  • T1059.007 – Command and Scripting Interpreter: JavaScript – Used in early attack stages.
  • T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys /Startup Folder – Modifies registry keys for persistence.
  • T1140 – Deobfuscate/Decode Files or Information – Obfuscates AsyncRAT code and scripts.
  • T1620 – Reflective Code Loading – Uses a reflective loader written in C# for code injection.
  • T1056.001 – Input Capture: Keylogging – Employs a keylogger within AsyncRAT to capture keystrokes.
  • T1074.001 – Data Staged: Local Data Staging – Logs keystrokes to a local file.
  • T1113 – Screen Capture – Takes screenshots and sends them to the Telegram bot.
  • T1568 – Dynamic Resolution – Utilizes DDNS domains as command and control servers.
  • T1571 – Non-Standard Port – Communicates through port 6161 for AsyncRAT.
  • T1020.001 – Automated Exfiltration – Collects system information for exfiltration via the IdSender module.
  • T1657 – Financial Theft – Targets credentials for cryptocurrency wallets.

Indicator of Compromise :

  • [URL] https://files[.]fm/f/yqsvtu99kn
  • [URL] https://files[.]fm/u/y5dys7zp96
  • [URL] https://files[.]fm/f/t5pp6hv9w4
  • [URL] https://files[.]fm/f/9xxadwws3e
  • [URL] https://files[.]fm/f/jp4nmyz3e7

Full Story: https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/desert-dexter-attacks-on-middle-eastern-countries