March 27, 2017

A new spear phishing campaign is targeting Saudi Arabia governmental organizations. The attack originates from a phishing email containing a Word document in Arabic language. If the victim opens it up, it will not only infect their system but send the same phishing document to other contacts via their Outlook inbox.

We know that at least about a dozen Saudi agencies were targeted. As with most email-borne attacks, this one leverages social engineering to execute malicious code via a Macro.
macro doc
Document overview:
A quick analysis with oletools shows us the sections within the macro:


The payload is embedded in the macro as Base64 code. It uses the certutil program to decode the Base64 into a PE file which is then executed:

Binary overview:
Let’s take a look at the dropped binary itself. It is coded in .NET and not obfuscated. Here’s the encrypted payload:

encrypted payload
Decrypting it we can see the main payload (neuro_client.exe renamed to Firefox-x86-ui.exe here) and two helper DLLs:


It sets persistence for auto-relaunch via the Task Scheduler:

The purpose of this piece of malware appears to be stealing information and uploading it to a remote server:

sync storage

According to reports from sources, Malwarebytes Anti-Exploit blocked the targeted attack proactively without the use of signature updates thanks to its Application Behavior protection layer for all consumer and corporate users of Malwarebytes. Malwarebytes Anti-Malware also detects and remediates the threat completely.

We will continue to analyze this threat and update the post at a later time with more information.

MBAE business
Malwarebytes block


Word dropper:
ransom3Binary payload:
ransom4Payload names:
Network communications:


News Courtesy :