www.trendmicro.com
Open in
urlscan Pro
23.206.209.41
Public Scan
Submitted URL: https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks-uae-gulf-regions.html
Effective URL: https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html
Submission Tags: falconsandbox
Submission: On December 09 via api from US — Scanned from DK
Effective URL: https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html
Submission Tags: falconsandbox
Submission: On December 09 via api from US — Scanned from DK
Form analysis
1 forms found in the DOM<form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" class="gsc-input-field" name="search" title="search" placeholder="Search" autocomplete="off" aria-label="search">
</td>
</tr>
</tbody>
</table>
</div>
</form>
Text Content
Business search close * Solutions * By Challenge * By Challenge * By Challenge Learn more * Understand, Prioritize & Mitigate Risks * Understand, Prioritize & Mitigate Risks Improve your risk posture with attack surface management Learn more * Protect Cloud-Native Apps * Protect Cloud-Native Apps Security that enables business outcomes Learn more * Protect Your Hybrid World * Protect Your Hybrid, Multi-Cloud World Gain visibility and meet business needs with security Learn more * Securing Your Borderless Workforce * Securing Your Borderless Workforce Connect with confidence from anywhere, on any device Learn more * Eliminate Network Blind Spots * Eliminate Network Blind Spots Secure users and key operations throughout your environment Learn more * See More. Respond Faster. * See More. Respond Faster. Move faster than your adversaries with powerful purpose-built XDR, attack surface risk management, and zero trust capabilities Learn more * Extend Your Team * Extend Your Team. Respond to Threats Agilely Maximize effectiveness with proactive risk reduction and managed services Learn more * Operationalizing Zero Trust * Operationalizing Zero Trust Understand your attack surface, assess your risk in real time, and adjust policies across network, workloads, and devices from a single console Learn more * By Role * By Role * By Role Learn more * CISO * CISO Drive business value with measurable cybersecurity outcomes Learn more * SOC Manager * SOC Manager See more, act faster Learn more * Infrastructure Manager * Infrastructure Manager Evolve your security to mitigate threats quickly and effectively Learn more * Cloud Builder and Developer * Cloud Builder and Developer Ensure code runs only as intended Learn more * Cloud Security Ops * Cloud Security Ops Gain visibility and control with security designed for cloud environments Learn more * By Industry * By Industry * By Industry Learn more * Healthcare * Healthcare Protect patient data, devices, and networks while meeting regulations Learn more * Manufacturing * Manufacturing Protecting your factory environments – from traditional devices to state-of-the-art infrastructures Learn more * Oil & Gas * Oil & Gas ICS/OT Security for the oil and gas utility industry Learn more * Electric Utility * Electric Utility ICS/OT Security for the electric utility Learn more * Federal * Federal Learn more * Automotive * Automotive Learn more * 5G Networks * 5G Networks Learn more * Small & Midsized Business Security * Small & Midsized Business Security Stop threats with easy-to-use solutions designed for your growing business Learn more * Platform * Vision One Platform * Vision One Platform * Trend Vision One Our Unified Platform Bridge threat protection and cyber risk management Learn more * AI Companion * Trend Vision One Companion Your generative AI cybersecurity assistant Learn more * Attack Surface Management * Attack Surface Management Stop breaches before they happen Learn more * XDR (Extended Detection & Response) * XDR (Extended Detection & Response) Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform Learn more * Cloud Security * Cloud Security * Trend Vision One™ Cloud Security Overview The most trusted cloud security platform for developers, security teams, and businesses Learn more * Attack Surface Risk Management for Cloud * Attack Surface Risk Management for Cloud Cloud asset discovery, vulnerability prioritization, Cloud Security Posture Management, and Attack Surface Management all in one Learn more * XDR for Cloud * XDR for Cloud Extend visibility to the cloud and streamline SOC investigations Learn more * Workload Security * Workload Security Secure your data center, cloud, and containers without compromising performance by leveraging a cloud security platform with CNAPP capabilities Learn more * Container Security * Container Security Simplify security for your cloud-native applications with advanced container image scanning, policy-based admission control, and container runtime protection Learn more * File Security * File Security Protect application workflow and cloud storage against advanced threats Learn more * Endpoint Security * Endpoint Security * Endpoint Security Overview Defend the endpoint through every stage of an attack Learn more * XDR for Endpoint * XDR for Endpoint Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform Learn more * Workload Security * Workload Security Optimized prevention, detection, and response for endpoints, servers, and cloud workloads Learn more * Industrial Endpoint Security * Industrial Endpoint Security Learn more * Mobile Security * Mobile Security On-premises and cloud protection against malware, malicious applications, and other mobile threats Learn more * Network Security * Network Security * Network Security Overview Expand the power of XDR with network detection and response Learn more * XDR for Network * XDR for Network Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform Learn more * Network Intrusion Prevention (IPS) * Network Intrusion Prevention (IPS) Protect against known, unknown, and undisclosed vulnerabilities in your network Learn more * Breach Detection System (BDS) * Breach Detection System (BDS) Detect and respond to targeted attacks moving inbound, outbound, and laterally Learn more * Secure Service Edge (SSE) * Secure Service Edge (SSE) Redefine trust and secure digital transformation with continuous risk assessments Learn more * 5G Network Security * 5G Network Security Learn more * Industrial Network Security * Industrial Network Security Learn more * Email Security * Email Security * Email Security Stop phishing, malware, ransomware, fraud, and targeted attacks from infiltrating your enterprise Learn more * Email and Collaboration Security * Trend Vision One™ Email and Collaboration Security Stop phishing, ransomware, and targeted attacks on any email service including Microsoft 365 and Google Workspace Learn more * OT Security * OT Security * OT Security Learn about solutions for ICS / OT security. Learn more * XDR for OT * XDR for OT Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform Learn more * Industrial Network Security * Industrial Network Security Industrial Network Security * Industrial Endpoint Security * Industrial Endpoint Security Learn more * Threat Insights * Threat Insights See threats coming from miles away Learn more * Identity Security * Identity Security End-to-end identity security from identity posture management to detection and response Learn more * On-Premises Data Sovereignty * On-Premises Data Sovereignty Prevent, detect, respond and protect without compromising data sovereignty Learn more * All Products, Services, and Trials * All Products, Services, and Trials Learn more * Research * Research * Research * Research Learn more * Research, News, and Perspectives * Research, News, and Perspectives Learn more * Research and Analysis * Research and Analysis Learn more * Security News * Security News Learn more * Zero Day Initiatives (ZDI) * Zero Day Initiatives (ZDI) Learn more * Services * Our Services * Our Services * Our Services Learn more * Service Packages * Service Packages Augment security teams with 24/7/365 managed detection, response, and support Learn more * Managed XDR * Managed XDR Augment threat detection with expertly managed detection and response (MDR) for email, endpoints, servers, cloud workloads, and networks Learn more * Incident Response * Incident Response * Incident Response Our trusted experts are on call whether you're experiencing a breach or looking to proactively improve your IR plans Learn more * Insurance Carriers and Law Firms * Insurance Carriers and Law Firms Stop breaches with the best response and detection technology on the market and reduce clients’ downtime and claim costs Learn more * Support Services * Support Services Learn more * Partners * Partner Program * Partner Program * Partner Program Overview Grow your business and protect your customers with the best-in-class complete, multilayered security Learn more * Partner Competencies * Partner Competencies Stand out to customers with competency endorsements that showcase your expertise Learn more * Partner Successes * Partner Successes Learn more * Managed Security Service Provider * Managed Security Service Provider Deliver modern security operations services with our industry-leading XDR Learn more * Managed Service Provider * Managed Service Provider Partner with a leading expert in cybersecurity, leverage proven solutions designed for MSPs Learn more * Alliance Partners * Alliance Partners * Alliance Partners We work with the best to help you optimize performance and value Learn more * Technology Alliance Partners * Technology Alliance Partners Learn more * Find Alliance Partners * Find Alliance Partners Learn more * Partner Resources * Partner Resources * Partner Resources Discover resources designed to accelerate your business’s growth and enhance your capabilities as a Trend Micro partner Learn more * Partner Portal Login * Partner Portal Login Login * Trend Campus * Trend Campus Accelerate your learning with Trend Campus, an easy-to-use education platform that offers personalized technical guidance Learn more * Co-Selling * Co-Selling Access collaborative services designed to help you showcase the value of Trend Vision One™ and grow your business Learn more * Become a Partner * Become a Partner Learn more * Distributors * Distributors Learn more * Find Partners * Find Partners Locate a partner from whom you can purchase Trend Micro solutions Learn more * Company * Why Trend Micro * Why Trend Micro * Why Trend Micro Learn more * Customer Success Stories * Customer Success Stories Learn more * The Human Connection * The Human Connection Learn more * Industry Accolades * Industry Accolades Learn more * Strategic Alliances * Strategic Alliances Learn more * Compare Trend Micro * Compare Trend Micro * Compare Trend Micro See how Trend outperforms the competition Let's go * vs. Crowdstrike * Trend Micro vs. Crowdstrike Crowdstrike provides effective cybersecurity through its cloud-native platform, but its pricing may stretch budgets, especially for organizations seeking cost-effective scalability through a true single platform Let's go * vs. Microsoft * Trend Micro vs. Microsoft Microsoft offers a foundational layer of protection, yet it often requires supplemental solutions to fully address customers' security problems Let's go * vs. Palo Alto Networks * Trend Micro vs. Palo Alto Networks Palo Alto Networks delivers advanced cybersecurity solutions, but navigating its comprehensive suite can be complex and unlocking all capabilities requires significant investment Let's go * About Us * About Us * About Us Learn more * Trust Center * Trust Center Learn more * History * History Learn more * Diversity, Equity and Inclusion * Diversity, Equity and Inclusion Learn more * Corporate Social Responsibility * Corporate Social Responsibility Learn more * Leadership * Leadership Learn more * Security Experts * Security Experts Learn more * Internet Safety and Cybersecurity Education * Internet Safety and Cybersecurity Education Learn more * Legal * Legal Learn more * Investors * Investors Learn more * Formula E Racing * Formula E Racing Learn more * Connect With Us * Connect With Us * Connect With Us Learn more * Newsroom * Newsroom Learn more * Events * Events Learn more * Careers * Careers Learn more * Webinars * Webinars Learn more Back Back Back Back * Free Trials * Contact Us Looking for home solutions? Under Attack? 2 Alerts Back Unread All * Join us at AWS re:Invent for demos and expert-led sessions on AI-powered security. close Supercharge your security > * Transform your security strategy and proactively reduce risk. close Learn how Folio (0) Support * Business Support Portal * Education and Certification * Contact Support * Find a Support Partner Resources * AI Security * Trend Micro vs. Competition * Cyber Risk Assessments * What Is? * Threat Encyclopedia * Cyber Insurance * Glossary of Terms * Webinars Log In * Vision One * Support * Partner Portal * Cloud One * Product Activation and Management * Referral Affiliate Back arrow_back search close Content has been added to your Folio Go to Folio (0) close APT & Targeted Attacks EARTH SIMNAVAZ (AKA APT34) LEVIES ADVANCED CYBERATTACKS AGAINST MIDDLE EAST Trend Micro's investigation into the recent activity of Earth Simnavaz provides new insights into the APT group’s evolving tactics and the immediate threat it poses to sectors in the Middle East. By: Mohamed Fahmy, Bahaa Yamany, Ahmed Kamal, Nick Dai October 11, 2024 Read time: 9 min (2475 words) Save to Folio Subscribe -------------------------------------------------------------------------------- SUMMARY * Trend Micro researchers have been monitoring a cyber espionage group known as Earth Simnavaz, also referred to as APT34 and OilRig, which has been actively targeting leading entities in the Middle East. * The group utilizes sophisticated tactics that include deploying backdoors that leverage Microsoft Exchange servers for credentials theft, and exploiting vulnerabilities like CVE-2024-30088 for privilege escalation. * Earth Simnavaz's uses a combination of customized .NET tools, PowerShell scripts, and IIS-based malware to allow their malicious activity to blend in with normal network traffic and avoid traditional detection methods. * Their recent activity suggests that Earth Simnavaz is focused on abusing vulnerabilities in key infrastructure of geopolitically sensitive regions. They also seek to establish a persistent foothold in compromised entities, so these can be weaponized to launch attacks on additional targets. Recently, Trend Micro has been tracking Earth Simnavaz (also known as APT34 and OilRig), a cyber espionage group. This group primarily targets organizations in the energy sector, particularly those involved in oil and gas, as well as other infrastructure. It is known for using sophisticated tactics, techniques, and procedures (TTPs) to gain unauthorized access to networks and exfiltrate sensitive information. In recent months, there has been a notable rise in cyberattacks attributed to this APT group specifically targeting infrastructure in the Middle East region. This escalation in activity underscores the group's ongoing commitment to exploiting vulnerabilities within infrastructure frameworks in these geopolitically sensitive areas. Our latest research has identified Earth Simnavaz’s deployment of a sophisticated new backdoor, which bears striking similarities to malware related to this APT group, as documented in our previous research. This new backdoor facilitates the exfiltration of sensitive credentials, including accounts and passwords, through on-premises Microsoft Exchange servers. Such tactics not only reflect the group's evolving methodologies but also highlight the persistent threat posed to organizations reliant on these platforms. Moreover, Earth Simnavaz has been observed using the same technique of abusing the dropped password filter policy as detailed in our earlier findings. This technique enables attackers to extract clean-text passwords, further compromising the integrity of targeted systems. In addition to these methods, the group has leveraged a remote monitoring and management (RMM) tool known as ngrok in their operations. This tool allows for the seamless tunneling of traffic, providing attackers with an effective means to maintain persistence and control over compromised environments. The threat actors have also recently added CVE-2024-30088 to their toolset, exploiting this vulnerability for privilege escalation in targeted systems. Integrating this into their toolkit highlights Earth Simnavaz’s continuous adaptation by exploiting newer vulnerabilities to make their attacks stealthier and more effective. Earth Simnavaz’s activities highlight the ongoing threat posed by state-sponsored cyber actors, particularly in sectors vital to national security and economic stability. As the threat landscape continues to evolve, understanding the tactics these groups use is crucial for developing effective defense strategies against such sophisticated adversaries. ATTACK CHAIN The initial point of entry for these attacks has been traced back to a web shell uploaded to a vulnerable web server (Figure 1). This web shell not only allows the execution of PowerShell code but also enables attackers to download and upload files from and to the server, thereby expanding their foothold within the targeted networks. Once inside the network, the APT group leveraged this access to download the ngrok remote management tool, facilitating lateral movement and enabling them to reach the Domain Controller. During their operations, the group exploited CVE-2024-30088 – the Windows Kernel Elevation of Privilege vulnerability – as a means of privilege escalation, utilizing an exploit binary that was loaded into memory via the open-source tool RunPE-In-Memory. This allowed them to register a password filter DLL, which subsequently dropped a backdoor responsible for exfiltrating sensitive data through the Exchange server. The exfiltrated data was relayed to a mail address controlled by the threat actor, effectively completing the infection chain and ensuring the attackers maintained control over the compromised environment. Figure 1. Attack chain download Earth Simnavaz has been known to leverage compromised organizations to conduct supply chain attacks on other entities. We expected that the threat actor could use the stolen accounts to initiate new attacks through phishing against additional targets. There is also a documented overlap between Earth Simnavaz and another APT group, FOX Kitten. In August, an alert from the Cybersecurity and Infrastructure Security Agency (CISA) highlighted FOX Kitten's role in enabling ransomware attacks targeting organizations in the US and the Middle East. These threats should be taken seriously, as the potential impact on compromised entities could be significant. OBSERVED TOOLSET AND TECHNIQUES An initial infection was detected when a web shell was uploaded to a vulnerable web server. This web shell extracts values from HTTP request headers ("func" and "command"), as shown in Figure 2. By passing both arguments to other functions, the web shell allows the threat actor to perform various actions (Table 1): Command Function Execute PowerShell Command on infected server func=Exc & Command= PW command to be executed Download specific file from infected server func=Exc & Command= FilePath Upload File into infected server func=Exc & Command = content of file to be written on infected server Table 1. Capabilities provided by the web shell Figure 2. Values extracted from HTTP request headers download The web shell also decrypts arguments received from the threat actor. It takes a Base64-encoded, AES-encrypted string, decrypts it using a specified key and initialization vector (IV), and returns the decrypted plaintext (Figure 3). Figure 3. Decrypted string download The response sent back to the threat actor is encrypted using a different function. This response is encrypted with AES using the given key IV. The resulting encrypted string is Base64-encoded (Figure 4). Figure 4. Response sent back to the threat actor download EXPLOITING CVE-2024-30088 FOR PERSISTENCE After the web shells were implanted on the victim machines, another file called “r.exe” was dropped and executed. This is a simple loader that takes the first argument as the input file, decodes it in one-byte-XOR operation, and executes it. The codes in this loader were reused from an open-source tool (Figure 5). The payload file was encoded to bypass traditional detection methods. Figure 5. Decoding routine in r.exe download A payload file called “p.enc” comes with the loader under the same folder. The decoded payload turns out to be a privilege escalation tool. As its PDB string represents, this tool exploits CVE-2024-30088: C:\Users\reymond\Desktop\CVE-2024-30088-main\x64\Release\poc.pdb This vulnerability, which was patched in June, allows threat actors to run arbitrary code in the context of SYSTEM and it works on multiple versions of Windows 10 and 11. Our analysis showed that the codes were reused from an open-source project (Figure 6). By using RunPE-In-Memory, combined with CVE-2024-30088, the threat actor was able to carry out their malicious actions stealthily. Figure 6. Reused code download This privilege escalation tool is coded to execute another dropped executable named “t.exe”, a .NET-compiled installer that creates persistence by using the predefined task definition “e.xml”. The installed schedule task is for executing the script “u.ps1”. The final “u.ps1” we collected seemed to be replaced with a useless script, leading us to suspect that the threat actors intentionally altered the script and disrupted the incident investigation. Figure 7. Creating persistence using “e.xml” download ABUSING THE DROPPED PASSWORD FILTER POLICY As mentioned earlier, the threat actor has been observed utilizing a tool similar to one identified in our previous research on the same entity. This tool exploits on-premises Exchange servers to exfiltrate credentials to email accounts under their control. Additionally, abusing the dropped password filter policy has been detected as a method for acquiring credentials, which are then exfiltrated via email. Threat actors can manipulate password filters to intercept or retrieve credentials from domain users via domain controllers or local accounts on local machines. This exploitation occurs because the password validation process necessitates the plaintext password from the Local Security Authority (LSA). Consequently, deploying and registering a malicious password filter can facilitate credential harvesting each time a user updates their password. This technique necessitates elevated privileges (local administrator access) and can be executed through the following steps: 1. Password Filter psgfilter.dll be dropped into C:\Windows\System32 2. Registry key modification to register the Password Filter [DLL HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Notification Packages = scecli, psgfilter] By using this technique, the threat actor can capture and harvest every password from compromised machines, even after they have been modified. The malicious DLL includes three exported functions (Figure 9) that facilitate the primary functionality of registering the DLL with the LSA (Figure 8): * InitializeChangeNotify: Indicates that a password filter DLL is initialized. * PasswordChangeNotify: Indicates that a password has been changed. * PasswordFilter: Validates a new password based on password policy. Figure 8. Registering the DLL with the LSA download Figure 9. Functions exported by DLL download The malicious actor took great care in working with the plaintext passwords while implementing the password filter export functions. Similar to the incident in our previous research, the threat actor also utilized plaintext passwords to gain access and deploy tools remotely. The plaintext passwords were first encrypted before being exfiltrated when sent over networks. EXFILTRATING DATA THROUGH LEGITIMATE MAIL TRAFFIC The primary function of the exfiltration tool (identified by Trend Micro as STEALHOOK involves retrieving valid domain credentials from a specific location, which it then uses to access the Exchange Server for data exfiltration. The key objective of this stage is to capture the stolen passwords and transmit them to the attackers as email attachments. Additionally, we observed that the threat actors leverage legitimate accounts with stolen passwords to route these emails through Exchange Servers. The backdoor exhibits significant similarities to one previously attributed to the same group in our earlier research. The main functionalities of the backdoor can be categorized as follows: * Retrieving User Credentials (Figure 10) – Calls the GetUserPassFromData function to retrieve the username and password needed for authentication from this file: C:\ProgramData\WindowsUpdateService\UpdateDir\edf Figure 10. The backdoor retrieving user credentials download * Retrieving Email Sending Data (Figure 11) – Calls the GetSendData function to retrieve necessary configuration data for sending an email from this file: C:\ProgramData\WindowsUpdateService\UpdateDir\edf * Server: The specific Exchange mail server for the targeted victim where the data is leaked through. * Target: The email addresses through which the malicious actors receive the exfiltrated data. * Domain: The internal active directory (AD) domain name related to the targeted entity. Figure 11. The backdoor retrieving email sending data download * Sending Email (Figure 12) – If the configuration data retrieval is successful, the program constructs a message containing the user credentials and the configuration data. The email is sent with a specified subject and body, and all files in the following directory are attached: C:\ProgramData\WindowsUpdateService\UpdateDir * Email Subject: "Update Service" * Body: "Update Service Is Running..." Figure 12. The backdoor sending emails download USING RMM TOOLS The threat actor recently upgraded their toolkit by incorporating RMM tools such as ngrok in their latest attacks. Ngrok is a legitimate tool used to create secure tunnels from a local machine to the internet, allowing access to internal services through public URLs. However, cyber attackers can exploit ngrok to bypass firewalls and network security controls for malicious purposes. They may use it to establish command-and-control (C&C) communication, exfiltrate sensitive data, or deploy payloads by creating undetected tunnels between compromised machines and their servers, making it harder for security teams to detect suspicious activity. The ngrok tool was downloaded onto the server using a PowerShell script (Figure 13), after which a WMI command was utilized to authenticate to a remote server, copy the file, and execute it remotely. Figure 13. Downloading ngrok download It appears that the threat actor utilized this tool in the later stages of the attack, leveraging a valid account and password for authentication. These credentials were likely obtained during earlier phases of the operation, in which accounts and passwords were stolen and exfiltrated. ATTRIBUTION Multiple data points and indicators attribute this attack to Earth Simnavaz, with evidence showing that the group remains active, specifically targeting Middle Eastern countries. This campaign, like that in our previously reported research, involved the targeting of Exchange servers and relaying communications through them. A significant similarity has been observed at both the code and functionality levels between the Exchange backdoor used in this attack and the one seen in the earlier campaign. Additionally, both tools share characteristics with the Karkoff backdoor, which is also linked to the same threat actors and exploits the Exchange Web Services (EWS) API for malicious activities. Earth Simnavaz’s tactics also overlap with that of FOX Kitten, another threat group which likewise has been observed using the RMM tool ngrok. TREND MICRO VISION ONE THREAT INTELLIGENCE To stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat Insights within Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and be better prepared for emerging threats. It offers comprehensive information on threat actors, their malicious activities, and the techniques they use. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks, and respond effectively to threats. Trend Micro Vision One Intelligence Reports App [IOC Sweeping] Advanced Cyberattacks Against Gulf Regions Earth Simnavaz Levies Advanced Cyberattacks Against Gulf Regions Trend Micro Vision One Threat Insights App Threat Actor/s: Earth Simnavaz Emerging Threat: Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East CONCLUSION APT groups like Earth Simnavaz have become increasingly active, particularly in targeting infrastructure in the Middle East. Based on the group’s toolset and activities, it’s evident that they aim to establish a persistent presence within compromised entities, using the affected infrastructure to launch further attacks on additional targets. Their primary goals appear to be espionage and the theft of sensitive information. Earth Simnavaz continues to rely on IIS-based malware such as web shells, customized .NET tools, and PowerShell scripts as core components of their attack arsenal. Recent campaigns have confirmed this technique remains actively in use. Geopolitical tensions likely play a significant role in this surge, so the Middle East should take these threats seriously. Earth Simnavaz’s approach involves blending into normal network activity and customizing its malware to avoid detection. Intelligence-driven incident response will be essential in effectively managing and mitigating these types of attacks. While the group’s techniques haven’t evolved drastically, implementing a Zero Trust architecture, alongside mature SOC, EDR, and MDR capabilities, can greatly enhance defensive measures against threats like that posed by Earth Simnavaz. INDICATORS OF COMPROMISE (IOCS) SHA-256 Detection Description 6e4f237ef084e400b43bc18860d9c781c851012652b558f57527cf61bee1e1ef Trojan.PS1.DULLDROP.I624 temp.ps1 b3257f0c0ef298363f89c7a61ab27a706e9e308c22f1820dc4f02dfa0f68d897 Trojan.Win64.DULLOAD.I t.exe abfc8e9b4b02e196af83608d5aaef1771354b32c898852dff532bd8cfd2ce59d Backdoor.ASP.DULLWSHELL.I624 Defaults.aspx 43c83976d9b6d19c63aef8715f7929557e93102ff0271b3539ccf2ef485a01a7 N/A u.ps1 ca98a24507d62afdb65e7ad7205dfe8cd9ef7d837126a3dfc95a74af873b1dc5 Backdoor.ASP.DULLWSHELL.I624 Defaults.aspx 7ebbeb2a25da1b09a98e1a373c78486ed2c5a7f2a16eec63e576c99efe0c7a49 N/A Microsoft.Exchange.WebServices.dll c0189edde8fa030ff4a70492ced24e325847b04dba33821cf637219d0ddff3c9 Backdoor.ASP.DULLWSHELL.I624 Logout.aspx 6d8bdd3e087b266d493074569a85e1173246d1d71ee88eca94266b5802e28112 HackTool.Win64.CVE202430088.I p.enc db79c39bc06e55a52741a9170d8007fa93ac712df506632d624a651345d33f91 TrojanSpy.MSIL.STEALHOOK.A Update.dll 27a0e31ae16cbc6129b4321d25515b9435c35cc2fa1fc748c6f109275bee3d6c Contains the task of that t.exe source e.xml 54e8fbae0aa7a279aaedb6d8eec0f95971397fea7fcee6c143772c8ee6e6b498 Trojan.Win64.DULLOAD.I r.exe a24303234e0cc6f403fca8943e7170c90b69976015b6a84d64a9667810023ed7 Trojan.Win64.STEALHOOK.A passwin.dll 1169d8fe861054d99b10f7a3c87e3bbbd941e585ce932e9e543a2efd701deac2 HackTool.PS1.DullScan.I p.ps1 af979580849cc4619b815551842f3265b06497972c61369798135145b82f3cd8 Trojan.PS1.DULLDROP.I j.ps1 1d2ff65ac590c8d0dec581f6b6efbf411a2ce5927419da31d50156d8f1e3a4ff Backdoor.ASP.DULLWSHELL.I624 Defaults.aspx abfc8e9b4b02e196af83608d5aaef1771354b32c898852dff532bd8cfd2ce59d Backdoor.ASP.DULLWSHELL.I624 s.inc 98fb12a9625d600535df342551d30b27ed216fed14d9c6f63e8bf677cb730301 Renamed Ngrok n.exe ca98a24507d62afdb65e7ad7205dfe8cd9ef7d837126a3dfc95a74af873b1dc5 Backdoor.ASP.DULLWSHELL.I624 Globals.aspx Tags APT & Targeted Attacks | Articles, News, Reports | Research AUTHORS * Mohamed Fahmy Threat Researcher * Bahaa Yamany Sr. Incident Response Analyst * Ahmed Kamal Sr. Incident Response Analyst * Nick Dai Sr. Threat Researcher Contact Us Subscribe RELATED ARTICLES * AI Configuration Best Practices to address AI Security Risks * The Road to Agentic AI: Exposed Foundations * MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks See all articles Experience our unified platform for free * Claim your 30-day trial * * * * * RESOURCES * Blog * Newsroom * Threat Reports * Find a Partner * * SUPPORT * Business Support Portal * Contact Us * Downloads * Free Trials * * ABOUT TREND * About Us * Careers * Locations * Upcoming Events * Trust Center * Country Headquarters Trend Micro - United States (US) 225 East John Carpenter Freeway Suite 1500 Irving, Texas 75062 Phone: +1 (817) 569-8900 Select a country / region United States expand_more close THE AMERICAS * United States * Brasil * Canada * México MIDDLE EAST & AFRICA * South Africa * Middle East and North Africa EUROPE * België (Belgium) * Česká Republika * Danmark * Deutschland, Österreich Schweiz * España * France * Ireland * Italia * Nederland * Norge (Norway) * Polska (Poland) * Suomi (Finland) * Sverige (Sweden) * Türkiye (Turkey) * United Kingdom ASIA & PACIFIC * Australia * Центральная Азия (Central Asia) * Hong Kong (English) * 香港 (中文) (Hong Kong) * भारत गणराज्य (India) * Indonesia * 日本 (Japan) * 대한민국 (South Korea) * Malaysia * Монголия (Mongolia) and рузия (Georgia) * New Zealand * Philippines * Singapore * 台灣 (Taiwan) * ประเทศไทย (Thailand) * Việt Nam Privacy | Legal | Accessibility | Terms of Use | Site map Copyright ©2024 Trend Micro Incorporated. All rights reserved Copyright ©2024 Trend Micro Incorporated. All rights reserved sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk This website uses cookies for website functionality, traffic analytics, personalization, social media functionality and advertising. Our Cookie Notice provides more information and explains how to amend your cookie settings.Learn more Cookies Settings Accept ✓ Tak fordi du delte! AddToAny Mere… BDOW! word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1