Campaigns

leetMX is a widespread cyber-attack campaign originating from Mexico and focused on targets in Mexico, El Salvador, and other countries in Latin America, such as Guatemala, Argentina and Costa Rica.
leetMX infrastructure includes 27 hosts and domains used for malware delivery or for command and control.  Hundreds of malware samples have been used, most are Remote Access Trojans and keyloggers.

Iranian Threat Agent Greenbug  has been registering domains similar to those of Israeli High-Tech and Cyber Security Companies. By pivoting off the registration details and servers data of the two domains we discovered others registered by the threat agent. Eight contain the name of Israeli high-tech and cyber security companies and one of a Saudi Arabian testing & commissioning of major electrical equipment company.

Recently we detected new samples and Infrastructure of ISMAgent,  a trojan in use by Iranian Threat Group GreenBug. Interestingly, as part of the delivery mechanism, the malware is disguised as a base64 digital certificate and decoded via certutil.exe. This post describes the new campaign. change managment.dot Sample change managment.dot (812d3c4fddf9bb81d507397345a29bb0) exploits CVE-2017-0199 and calls the following URL: http://www.msoffice-cdn[.]com/updatecdnsrv/prelocated/owa/auth/template.rtf

Over the past few months ClearSky has been collaborating with Palo Alto Networks on preventing and detecting targeted attacks in the Middle East using two relatively new Microsoft Windows malware families which we call KASPERAGENT and MICROPSIA. In addition, our research has uncovered evidence of links between attacks using these two new malware families and […]

On 29 March 2017 the German Federal Office for Information Security (BSI) said in a statement that the website of Israeli newspaper Jerusalem Post was manipulated and linked to a harmful third party. Below is a Google translation of the statement: “After the cyber attack on the German Bundestag in 2015, some protective functions that the BSI […]

Attackers have been trying to breach IEC (Israel Electric Company) in a year-long campaign. From April 2016 until at least February 2017,  attackers have been spreading malware via fake Facebook profiles and pages, breached websites, self-hosted and cloud based websites. Various artifacts indicate that the main target of this campaign is IEC – Israel Electric Company. These […]

Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015. In recent attacks they set up a fake VPN Web Portal and targeted at least five Israeli IT vendors, several financial institutes, and the Israeli Post Office. Later, the attackers set up […]

Hundreds of customer service centers have been targeted In a campaign going back at least to August 2016. An email is sent to the “contact us” or “customer support” address of an online shop. The sender pretends to be a a customer that has a problem with the online shopping cart or is just asking to […]