Researchers have found a group of Iranian cybercriminals targeting UAE government websites with a chain of attacks last year.
“Last year, the FortiEDR research lab identified several simultaneous attacks targeting a government entity in the United Arab Emirates. Some were classified as known threats, such as JS_POWMET and AdKoob, while one remained unidentified,” said the FortiEDR research lab report.
According to the researchers, the isolated, and highly targeted, attack involved a custom PowerShell-based backdoor known as PowerExchange.
This particular backdoor employed an email-based command and control (C2) protocol, utilizing the victim’s Microsoft Exchange server as the central C2 server.
A comprehensive forensic investigation of the affected network revealed the presence of the PowerExchange backdoor on additional endpoints, as well as the discovery of multiple other implants on various servers.
Notably, one of the implants identified on Microsoft Exchange servers was a previously unseen web shell called ExchangeLeech, which gained its name due to its distinctive capability to gather sensitive credentials.
“We see indicators of an Iranian threat actor operating these tools,” said the report.
Iranian cybercriminals targeting UAE government: Attack details
The Iranian cybercriminals targeting UAE government websites used phishing as the initial infection vector. A user unknowingly opened a zip file called Brochure.zip, which contained a malicious .NET executable named Brochure.exe.
This executable, disguised with an Adobe PDF icon, displayed an error message box when run. In reality, it was a dropper responsible for installing and executing the final payload.
This executable would also install and execute the final payload and maintain persistence for the autosave.exe using a scheduled task. The scheduled task was MicrosoftEdgeUpdateService which ran every five minutes.
The operation involving the Iranian cybercriminals targeting UAE had messages sent to the attackers also via email attachments. The emails would simply have the text, ‘Microsoft Edge Update’ in the body however, it would contain machine details in its attachment named, ‘Next Text Document.txt.’
Commands followed by the PowerExchange backdoor (Photo: Fortinet)
The attacker would also reply and send additional commands via email to the same message. To move laterally across networks, variants of Invoke-WMIExec and Invoke-SMBClient PowerShell modules from the Invoke-TheHash project were employed.
The Iranian cybercriminals targeting UAE moved through the Domain Controllers and the enterprise Exchange servers. They found users’ login credentials in clear text format despite them following basic authentication protocol.
Similarities between the backdoor used by Iranian cybercriminals targeting UAE government websites were found with the one used in Kuwait’s cyberattacks on its government organizations, according to reports. The Kuwait cyberattacks employed the TriFive backdoor and the attack was linked to APT34.
However, the backdoor had similarities with the ones used by the groups including the Iranian cybercriminals targeting the UAE. The similarities were as follows:
- They were both written in PowerShell.
- Both were scheduled to run at regular intervals.
- The C2 channel leveraged the targets’ Exchange server with EWS API.
- Both used phishing emails to initiate the cyberattacks.
- APT34 had linked targets to those attacked by the Iranian cybercriminals
It is speculated that PowerExchange is a reworked version of TriFive backdoor.
Detection and prevention of attacks by the Iranian cybercriminals targeting the UAE
The Iranian cybercriminals that were found targeting UAE government organizations evaded detection because the backdoor allowed camouflaging with other genuine traffic.
“Using the victim’s Exchange server for the C2 channel allows the backdoor to blend in with benign traffic, thereby ensuring that the threat actor can easily avoid nearly all network-based detections and remediations inside and outside the target organization’s infrastructure,” the Fortinet blog read.
To mitigate such evasion of detection, it is recommended that users and organizations deploy a robust endpoint solution across devices for protection.
It is also expected from all employees to watch the URL, file name, file source, and every detail of emails from seemingly known and unknown sources to avoid giving access to hackers such as the Iranian cybercriminals that targeted UAE government websites.
“Phishing remains an effective tactic for threat actors to compromise their targets, exploiting the weakest link, the human element, and benefiting from the relatively low complexity and cost of work,” the Fortinet blog post added.