Rewterz Threat Alert – Targeted Attacks on Oil and Gas Supply Chain Industries in the Middle East

October 1, 2020

Severity

High

Analysis Summary

An increase is seen in targeted attacks against multiple supply chain-related organizations in the oil and gas sector in the Middle East. These targeted attacks use malicious PDF files sent as email attachments used to distribute an information-stealing Trojan, AZORult, in target organizations. The attack chain begins with an email that appears to be from an official working at the ADNOC and is targeted at officials working in the supply chain and government sectors in the Middle East. Each email in this campaign has an attached PDF file. This PDF contains download links on the first page that lead to legitimate file sharing sites, such as wetransfer and mega.nz where a ZIP archive is hosted. The ZIP archive contains a malicious and packed .NET executable that will decrypt, load, and execute the embedded AZORult binary.

The PDF files attached to the email are multipage documents (containing 14 pages) that appear to be Requests for Quotations (RFQ) for supply contracts and legal tenders for various projects based in the Middle East. The decoy documents are carefully crafted to appear legitimate for social engineering purposes. AZORult upon execution will perform information stealing activities on the machine and exfiltrate the information by sending an HTTP POST request to the URL: hxxp[:]//crevisoft.net/images/backgrounds/ob/index.php.

Impact

Information theft
Data exfiltration

Indicators of Compromise

Filename

PI-18031 Dalma Gas Development Project (Package B) -TENDER BULLETIN-01[.]pdf
AJC-QA HAMAD INTERNATIONAL AIRPORT EXPANSION DOHA[.]pdf

From Email

salessigma87@gmail[.]com

MD5

5d9ed128316cfa8ee62b91c75c28acd1
d8e3637efba977b09faf30ca49d75005
653f85816361c108adc54a2a1fadadcf
f2319ddb303c2a5b31b05d8d77e08b4e
741f66311653f41f226cbc4591325ca4
9cf615982d69d25b1d0057617bd72a95
a74c619fd61381a51734235c0539e827
ae5f14478d5e06c1b2dc2685cbe992c1
70a92fdba79eaca554ad6740230e7b9a
84e7b5a60cd771173b75a775e0399bc7
de521f9e4bc6e934bb911f4db4a92d36
bafdeef536c4a4f4acef6bdea0986c0b
b7b41d93709777780712f52a9acf7a26
c2ac9c87780e20e609ba8c99d736bec1
ede5fa9b9af1aeb13a2f54da992e0c37
cf04d33371a72d37e6b0e1606c7cd9a2
02ae44011006e358a3b1ccbd85ba01f2
0988195ab961071b4aa2d7a8c8e6372d
3510cbf8b097e42745cfb6782783af2b
abab000b3162ed6001ed8a11024dd21c
912dbb9e0400987c122f73e0b11876c0
328aa4addb7e475c3721e2ae93391446
e9dfa14e4f6048b6f3d0201b2f3c62fe
6d0241bc7d4a850f3067bc40124b3f52
694a6568b7572125305bdb4b24cebe98
38360115294c49538ab15b5ec3037a77
80149a26ee10786d6f7deaf9fb840314
7860c138e3b8f40bfb6efec08f4a4068
2260d015eacdc14e26be93fbc33c92aa
2710cc01302c480cd7cd28251743faf0
40b5976eb7ddd1d372e34908f74ba0c4
0f4cd9e8111d4eeda89dbe2ce08f6573
6944f771f95a94e8c1839578523f5415
73ddf9f8fc3dc81671ea6c7600e68947
24e67f40ccb69edb88cc990099ef2ffe
3ce6cc6dee4563eb752e55103cdb84d4
e368837a6cc3f6ec5dfae9a71203f2e2
1c5cb47fd95373ade75d61c1ae366f8b
131772a1bb511f2010da66c9c7dca32f
549a06cb43563dad994b86e8f105323a
653e737fd4433a7cfe16df3768f1c07e
40c1156d98c39ac08fd925d86775586d
3bcbe4d2951987363257a0612a107101
36e5726399319691b6d38150eb778ea7
1693f1186a3f1f683893b41b91990773
42aec0b84a21fa36fc26b8210c197483
5321cd5b520d0d7c9100c7d66e8274e1
d51d5e4c193617fa676154d1fe1d4802
8e5c562186c39d7ec4b38976f9752297
c7ced41f38b2d481d1910663a14fbec4
cdfde809746759074bcd8ba54eb19ccd
6f1bd3cb6e104ed6607e148086b1e171
34cae3ae03a2ef9bc4056ca72adb73fc
fcf7a9b93cffddf0a242a8fc83845ee3
9db3d79403f09b3d216ee84e4ee28ed3
b520f4f9d87940a55363161491e69306
7fa5028f2394dcea02d4fdf186b3761f
62a05b00c7e7605f7b856c05c89ee748
67f178fd202aee0a0b70d153b867cb5e
2b719eeca275228fbead4c1d3016b8e4
d03fb3e473bd95c314987a1b166a92ed
ebdcb07d3de1c8d426f1e73ef4eb10f4
f626e64f57d3b8c840a72bbfbe9fb6ca
54fc7650a8b5c1c8dc85e84732a6d2c7
c4380b4cd776bbe06528e70d5554ff63
39598369bfca26da8fc4d71be4165ab4
363030120a612974b1eb53cc438bafcb
8fe5f4c646fd1caa71cb772ed11ce2e5
fe928252d87b18cb0d0820eca3bf047a
3c83b0fe45e15a2fd65ed64a8e1f65e9
5c857bf3cf52609ad072d6d74a4ed443
d258ba34b48bd0013bfce3308576d644
7a016c37fa50989e082b7f1ca2826f04
269cfd5b77ddf5cb8c852c78c47c7c4c
93c8ed2915d8a3ff7285e0aa3106073e
3d019ede3100c29abea7a7d3f05c642b
709895dd53d55eec5a556cf1544fc5b9
8d7785c8142c86eb2668a3e8f36c5520

SHA-256

f25631baec60ffc079f67a97c1d99813cf3d09af53c9c46f61c485b000e12a3e
f6be907ce6e89850a46705a5b8be2e7ca9f4dc2d2cc800ee6fbdca632ea183f9
0b2226eacb382e9194b5cd3efa45622ae4a41f8241cad80cc9025737313f333d
5481ba9e83ec03bd7b04e8fea3c5f68324e242fd9c837ed25b7904d9b883b79c
aa1a29e789d6dcd5e1f64baee2b80dcd7bb7f3fc32e6cd0f5ef6a99e3abb1392
5dac54ff1c22ea4ff85ae1507e67b2ed32fda053cc240cc33b661f9529300c3d
9f52e19e30ffe6f24ec6e30276686f05af774bad7e15142e8bf159c6e27012a8
19ad3ac63055a24ae94224c18808308f96f3167095d126423001686686b436c0
f93c93ad1b377e8effafc4c88b233eaf221e2ada5b7366dbcabe67f35c700fcd
5180a77d4bee4305198fffcbb80f47dc73a3d43f7bf074ee3c3c6723a59103c1
d4c1348047aba82c116ec38bdc6553f6938bb48b85dcae8f21ddf1e6a03da29e
8273bcd578d56ed2a2166765d1453c6b3e20e7e5cb3d38e64c4ef8d37fa52c7d
2eab0059434d3ff746efd418bef6ca10da82df73d530a622300556e030d6c90e
40d6a2ed721d31a19e3638aa11170c652774d90ce822d04efb64dfac1a0d0102
0d87670548b37d4ebdab4c8aba78fb60b2486aaaa986d0f56371ab3164be2fc4
91ad67227ad115e1de2cbd85d18e67abcc43d880ba312ca4144973fc65373e7b
bf1150eacbfd75a3be55c4651a8ec6639010a91aeb9833ca9fd9615c8898ef3b
d20be0245f988e5e04645ec6aee35ceec574128ba7c24c8311ed012b0f6727a7
f2903d6b811d2113c864a7a8ef1121e207af42ea614ab4a1d4d8de9a07303a82
bf5e8f01e328bd96c4ffcef98a9b87fe730f73495fc0a5e614d44adbe205207f

SHA1

4c7e9749b7401e055ee97ac07535525e2f285a75
a25190f95d622191b6af85fce283fb1887f9b1c7
9421c98e65807afe57aa7480af500daa1a33c609
8d8e9cf2d6a988a24c568af5102c79399bfbd29b
e889640b398a011dc6316e3e55f844f28f310a23
d827b82dee48c353ac7ca1bf59161c33fc0308e7
75dc7f8e72ed42151c175dbe1fb8903a20596fcb
d76b4b51ec6dbaa5b8a2e7ce3e12cf38fff02cf5
c155f6a81b947a0ee0b09c32676145675b05de88
f6ecb0c95721ab0a60a7b0b5cc40dffbc06bae60
ceb05d319efe53a473a9a05522e7e1d7a752c7d5
eed2b590a1b8e60d8cd62a3293dd6bec2623a24a
74101734d91ea64878b4e5739c18fc38b2c90b82
93dbfd4d27256c596d2426bb35e63b7188033e6c
42242770cfc7af57f86251f64f2d2a1b37dd319c
3ffa62d092cf133daa8517cc3841e9a6422702ee
5f3d10f391f2a5f0788ff13f9a8077eef15ae2e6
004a3292a937f33d285e34c6805de1b9f1096412
6e393ca248a2ccf742b4c75af26f7720ec348d63
0dfd883ce6f890283b432a8c56fa1401cc12d0e6

URL

https[:]//www[.]dropbox[.]com/s/cym2723azwnb364/ADNOC%202020%20REQUEST%20FOR%20QUOTATIONREQUEST%20FOR%20TENDER%20CODE%2076384_pdf[.]zip?dl=0
https[:]//www[.]dropbox[.]com/s/5b0bti9r6xhf3pq/ADNOC%202020%20REQUIREMENT%20TENDER%20RFQ%2056774387_PDF[.]zip?dl=0
https[:]//www[.]aljaber-llc[.]com/projects/files/ALJABER-RFQ-38982254237312018-848000071984-04-23-Rev-1[.]1[.]zip
https[:]//we[.]tl/t-zC6Wz4CpfZ
https[:]//we[.]tl/t-wQB6ioE8dL
https[:]//we[.]tl/t-uwwupT1WNc
https[:]//we[.]tl/t-utJr50o6uf
https[:]//we[.]tl/t-u3NL7Wnplr
https[:]//we[.]tl/t-spOqYklJIQ
https[:]//we[.]tl/t-oAkwGNORsR
https[:]//we[.]tl/t-nMKuKWbMlE
https[:]//we[.]tl/t-lBcWz3Rcbs
https[:]//we[.]tl/t-ikxwkPtSBi
https[:]//we[.]tl/t-hSqtTJDi1f
https[:]//we[.]tl/t-feLBFQVV1P
https[:]//we[.]tl/t-egfvdBvESW
https[:]//we[.]tl/t-dGN9sRTnch
https[:]//we[.]tl/t-cunxjPBouY
https[:]//we[.]tl/t-cJa4jY9Egz
https[:]//we[.]tl/t-cFvm5QQlyV
https[:]//we[.]tl/t-ad5X6peqHj
https[:]//we[.]tl/t-aBUVx3EMdx
https[:]//we[.]tl/t-ZcyzrvcBkP
https[:]//we[.]tl/t-YlbV0AIU5b
https[:]//we[.]tl/t-XsVO5hewBu
https[:]//we[.]tl/t-XdOjUbrcK8
https[:]//we[.]tl/t-TbbBN9VnEZ
https[:]//we[.]tl/t-QuCLQY3cTh
https[:]//we[.]tl/t-P2Lt34YUcf
https[:]//we[.]tl/t-Out44emJ9t
https[:]//we[.]tl/t-NwSigkLd2E
https[:]//we[.]tl/t-MtgNnMbTij
https[:]//we[.]tl/t-MkUZugwABd
https[:]//we[.]tl/t-MFcMWYK7HL
https[:]//we[.]tl/t-HZygDd5TUJ
https[:]//we[.]tl/t-FkBOHwy1ME
https[:]//we[.]tl/t-E1iDs5Bghr
https[:]//we[.]tl/t-Didobux8kG
https[:]//we[.]tl/t-AgAdhMTWIm
https[:]//we[.]tl/t-9RVc3dflK6
https[:]//we[.]tl/t-7XwI9xNjQj
https[:]//we[.]tl/t-5wQSJsFUlC
https[:]//we[.]tl/t-4BnTk2Hwiv
https[:]//we[.]tl/t-39SvbwCY2E
https[:]//we[.]tl/t-2a9aq4LJSn
https[:]//we[.]tl/t-2L7ajlJSCG
https[:]//we[.]tl/t-1yLti4IfaN
https[:]//we[.]tl/t-1hWeuMe1h7
https[:]//we[.]tl/t-1VyVEAtzAf
https[:]//we[.]tl/t-0NlciPHf5y
https[:]//mega[.]nz/file/zsIB2aLK#pyTNpp8H4pZhpq0i7w0OB8itu3Rj_02n9BksARDrlzc
https[:]//mega[.]nz/file/u7xRlS7T#I8L3NL_zi-JizZagSF-E1Gcj5I8ednV6YdqyWs5RnNo
https[:]//mega[.]nz/file/q55WVIKB#zm3CTH6XEv63mwacATKpo2AMe7yjFmp-KpQXUBkhZJ4
https[:]//mega[.]nz/file/fkImWKab#zvyeMmsYgGiu-hK-FT0o4OBozg0r4gWPRUtAr6iRvwM
https[:]//mega[.]nz/file/f1RTVa4A#2uGmQV64RKkNYZEECYXFKjGPS-nalF2ZshufSgqsA_k
https[:]//mega[.]nz/file/Ptp1CL6R#EvbG9Gh435cDmmXXyU1_l4dM3Bq9fP2B8VdjirGiK_c
https[:]//mega[.]nz/file/GpB3VIyS#3-tKCJ8d-y782IN0570wHMMKQ244ttzBRpUmFXh6LZQ
https[:]//mega[.]nz/file/G5YmjCYJ#jvqrZX2ZLXn3SAI9nzf8w6mWtxTM4_fwx7VzHdqzfqM
https[:]//mega[.]nz/#!zygWnKAS!5kp8IWNec2HK-YPK2gk-hmLa416PZLtr6VpbNZediSk
https[:]//mega[.]nz/#!yrBGmQBA!EhgekpU4VUafMvfJKlNVFej1KsgxYWv1mfzCKXejjEc
https[:]//mega[.]nz/#!y6w1BAqS!DMfA221sRvIyqVqPNhsKMZEAtBNkjY_jLUWEmCpxMfo
https[:]//mega[.]nz/#!uu40wQxJ!HXlLJw7KDJgqnpwCzgrnBt9vu_W1-FZlSIvn0JU5rDw
https[:]//mega[.]nz/#!nrozSBoL!Pc5ApemPW46RC8b0kgiTIyuIa0MnQV9GDUPXGK8__LM
https[:]//mega[.]nz/#!j2JSwQYb!LaAP2L2WBKLU3DlR6BViQxZ4b8fsmt53Hl3RKHMfb4w
https[:]//mega[.]nz/#!Tmw0EK5Q!zSLa_Ell7Ti5sz-ca-plgqc4vZM7S813Hb9Yk5Jk81Y
https[:]//mega[.]nz/#!OvJFjQaY!UBgEDtTE_Gn4B4vYrn-d7rYeO5CBMTxt83NyXQGWh0E
https[:]//mega[.]nz/#!Ov41xapb!M-COPorpfcQ7j1G61afFVruLbDVwzNfujRIwERqlIQw
https[:]//mega[.]nz/#!KuRElKZT!5F_FfxkyPI7tvJ-mnL7LppAU5X5wA1XbpTM-z8DpVB8
https[:]//mega[.]nz/#!K6xgGCYJ!1cJY91IlILLrGGrDVVrkbb7vNRKL9CAFD4tB9_jP8ts
https[:]//mega[.]nz/#!66hWzACL!_6klTwfD-JaSkwjWrKRIBqX1ghXr-SZGk1Utc2-VJPc
http[:]//nsseinc[.]com/lingo/index[.]php
http[:]//crevisoft[.]net/images/backgrounds/ob/index[.]php

Remediation

Block all threat indicators at your respective control.
Always be suspicious about emails sent by unknown senders.
Never click on links/ attachments sent by unknown senders