The Big Bang threat group, which is known to target Middle Eastern and Palestinian targets, is back again conducting a new surveillance campaign. The recent campaign specifically targets the Palestinian Authority and involves the group using a new modular malware.
According to security researchers at Check Point, who discovered the new campaign, Big Bang has been sending phishing emails to its targets. These emails contain two files - a Word document and a malicious executable. The phishing email purports to be coming from the Palestinian Political and National Guidance Commission. The Word document is meant to act as a decoy while the Big Bang group’s malware is installed onto a target’s system in the background.
The modular malware being used by the threat group comes packed with several features such as logging system details and rebooting the system. The malware is also capable of taking screenshots and sending it to the C2 server, as well as stealing documents with the file extensions including .doc, .odt, .xls, .ppt, .pdf and more.
“While it is not clear exactly what the attacker is looking for, what is clear is that once he finds it, a second stage of the attack awaits, fetching additional modules and/or malware from the Command and Control server,” Check Point researchers said in a blog. “This then is a surveillance attack in progress and has been dubbed ‘Big Bang’ due to the attacker’s fondness for the ‘Big Bang Theory’ TV show, after which some of the malware’s modules are named.”
The threat group is still making using of the Micropsia malware, which the group also used in its 2017 attacks. However, the malware has been upgraded for the new campaign. Although it is still written in C++ but wrapped as a self-extracting executables.
Although the campaign appears to have begun in April 2018, researchers discovered that in actuality, it first began in March. Like the Big Bang group’s previous attacks, this campaign also uses phishing emails to distribute the reconnaissance malware to victims.
However, unlike previous campaigns, this time the attackers the malicious attachment is an executable which is actually a self-extracting archive, containing a decoy document and the malware itself.
“While the APT has gone through significant upgrades over the past year, the conductors of these campaigns maintained evident fingerprints, both in the delivery methods and malware development conventions,” Check Point researchers said.
“Although the group behind it seems to be focused on carefully selecting their victims, using a custom-made info-stealer for intelligence gathering operations, due to its very nature it is difficult to assert what the ultimate goal of this campaign is,” the researchers added. “Indeed, the next stages of the attack may even still be in the works, not yet deployed or only deployed to selected few victims.”