Symantec Uncovers New Details on Cybercriminals in the Middle East and North Africa

Blog Feature Image: 

Symantec_MATI_Twitter.png

Symantec Uncovers New Details on Cybercriminals in the Middle East and North Africa

Project Desert Host highlights tactics, techniques and procedures of adversaries in region

Symantec analysts have observed a spike in malicious activity – chiefly ransomware variants, such as Locky, Cryptolocker, and DMA Locker – communicating with bullet proof hosting service (BPHS) infrastructure in four key Middle East and North Africa (MENA) countries:  Egypt, Iran, Lebanon, and Turkey.  These are among the details highlighted in the latest report from Symantec’s DeepSight Intelligence Managed Adversary and Threat Intelligence (MATI) on MENA cybercrime.

Titled “Project Desert Host: Three Identified Bulletproof Hosting Providers”, the report is the second in a series connected with Project Desert Host, which represents the MATI team’s ongoing research on cybercriminal activity in the MENA region.  It provides additional findings surrounding the criminal marketplace and actors behind the BPHS advertisements and offerings.

DeepSight’s MATI report highlights the following findings:

• The MATI team has observed a significant amount of cybercrime coming from Egypt, Iran, Lebanon and Turkey.
• Locky and other ransomware variants as well as Trojan downloaders are currently the most common malware threat found communicating with MENA BPHS infrastructure.
• Attractive pricing and improved tech infrastructure is driving increased use by a wide variety of actors.

MATI analysts tracked multiple actors engaged in advertising on MENA-based hosting services.  All are Russian speaking. In-depth profiles of several of these BPHS providers, including their TTPs, their pricing, and their infrastructure, are covered in this new installment.

Some highlights:

• These BPHS providers have been observed facilitating multiple cybercrime operations, including operating phishing sites and command-and-control servers, as well as supporting infrastructure aimed at delivering high volumes of ransomware variants such as Locky, CryptoLocker and DMALocker to compromised hosts.  Other identified criminal activity observed includes distributing Trojan downloaders such as Pony and Upatre, which have been observed in past criminal endeavors delivering banking Trojans such as Dridex, Vawtrak (a.k.a. Snifula), URLZone and other malware.
• Sophisticated pricing structures are a key element of the cybercriminals’ marketing strategy.  Their promotions boast incentives such as price reductions for referrals, 3-for-2 pricing packages, credits for switching BPHS providers, and discounts for buying services in specified countries.
• The identified actors have well-developed activity in other regions, and they have identifiable names, aliases and email addresses. Some of the provider’s activities are documented as far back as 2008. 
• In the past, these providers have been linked with infrastructure used in widespread criminal operations involving financial malware such as Dyre, Tiny Banker (a.k.a. Tinba), and Dridex.

More on the ongoing research effort

MATI research on cybercrime connected to BPHS in the MENA region is a multi-stage project.  The MATI team anticipates Project Desert Host will provide more data on threat operations in MENA, including threat groups, actors and their motivations and targets. 

Symantec’s MATI team of intelligence analysts are dedicated to understanding the adversary ecosystem. The team provides insightful reports on adversaries, including their TTPs and attack campaigns. With well-developed research skills, rich foreign language capability and access to the fields where cybercriminals operate, the MATI team produces high fidelity information for organizations that want to strengthen their defense against malicious actors. That is why Symantec’s research on growth in cybercriminal activity in the MENA region is an important effort.

How CISOs and their security operations teams can use this information

The data and additional context that this research provides can help companies to better focus their threat prevention efforts and to improve their risk posture.  Among the ways CISOs can leverage this data:

• Keep up with the research in all the MATI reports on the MENA region to better understand trends in the marketplace.
• Use the technical indicators of compromise supplied to conduct further research on your organization’s security exposure. Also, tune your security protections such as firewalls and IDS/IPS. This step is critical to building a strong line of defense against these malicious actors.
• Once gaps are identified, adjust strategic, operational and tactical controls to strengthen your security posture.
• Use the MATI-provided intelligence along with your internal information sources to augment your ongoing threat intelligence operation. 

Dig Deeper

This is part of an ongoingseries The MATI team will continue to publish updates in the months to come, so bookmark and check back on the Cyber Security Services blog.

Visit Us at Black Hat USA

Hear more about this research from a MATI analyst at Symantec’s booth (#523) on August 3rd and 4th at the Black Hat Conference.

Learn Even More

The DeepSight MATI team produces intelligence to help organizations improve their security posture.  To find out how you can access all of the DeepSight Intelligence research reports, call us at (866) 422-5181 or request a call.