Security analysts have found a bait document being circulated in the Middle East, designed speciﬁcally for Arabic users. It is an Oﬃce Word document with malicious macros embedded to drop and execute a backdoor packed by Enigma Virtual Box. It looks like this:
The backdoor program has a built-in keyword list containing names of people or opera movies to communicate with C2, which distributes control commands to further control the victim’s computer device. Investigations suggested that the attack is being carried out by Molerats.
The IP address (198[.]54[.]117[.]244) that took over the C2 domain name is bound with a large number of malicious domain names, and is not controlled by the threat actors currently.
Indicators of Compromise
IP(s) / Hostname(s)
Malware Hash (MD5/SHA1/SH256)