Earth Bogle: Campaigns Target the Middle East with Geopolitical Lures

MITRE Techniques

• [T1566.001] Phishing – The distribution mechanism could be via social media (Facebook and Discord appear to be favored among these campaigns), file sharing (OneDrive), or a phishing email. ‘The distribution mechanism could be via social media (Facebook and Discord appear to be favored among these campaigns), file sharing (OneDrive), or a phishing email.’
• [T1204.002] User Execution – The CAB file is masqueraded as a sensitive audio file and opened by the user to trigger infection. ‘The malicious CAB file contains an obfuscated VBS (Virtual Basic Script) dropper responsible for delivering the next stage of the attack.’
• [T1105] Ingress Tool Transfer – The dropper fetches the malware from a compromised or spoofed host. ‘When downloaded, the obfuscated VBS script runs to fetch the malware from a compromised or spoofed host.’
• [T1059.005] VBScript – The initial CAB dropper uses a VBScript to stage the attack. ‘The CAB file contains an obfuscated VBS script that functions as the agent…’
• [T1059.001] PowerShell – The second stage payload is a PowerShell script responsible for injecting NjRAT. ‘KxFXQGVBtb.ps1: Load Payload_1 and Payload_2 into the memory and inject NjRAT into the aspnet_compiler.exe via payload_1’
• [T1027] Obfuscated/Compressed Files and Information – The VBS and PowerShell payloads are obfuscated. ‘the second stage dropper (SHA256: 78ac9da3…) is an obfuscated PowerShell script’
• [T1055] Process Injection – NjRAT is injected into a legitimate process via a process injector. ‘NjRAT into the aspnet_compiler.exe via the process injector.’
• [T1547.001] Boot or Logon Initialization Scripts (Startup Folder) – Persistence by adding startup-related folders and keys. ‘adding the directory C:ProgramDataWindowsHost to the “User Shell” folders and “Shell” folders to the startup keys accordingly.’