The TopHat campaign involves hackers using services like Google+ and Pinterest as well as political events to lure unsuspecting users in Middle-East to download malware.
Hackers often use political events and third-party services to trick users into clicking on links that then download malware on their system. In the case of the TopHat campaign, hackers are using Google+ and Pinterest profiles to collect command and control information. They obscure the links using bit.ly so that users cannot guess the true nature of the destination web address until they are already on it.
The discovery was made by researchers at the Palo Alto Networks Unit 42. The reason why the TopHat campaign, believed to be under operation since September last year, is so successful is that it uses documents written in Arabic pertaining to political events to lure victims. The malware downloaded is dubbed Scote by the researchers, and it is deployed using a variety of tricks by the hackers.
The first trick uses a malicious RTF file which calls a dangerous website using an HTTP request. The second trick exploits the CVE-2017-0199 vulnerability. This MS Office and WordPad RCE vulnerability is used by the hackers to show a pop up message through the RTF file. The message is in Arabic and relates to Palestinian President Mahmoud Abbas’s announcement of turning a presidential palace into a national library. The third technique allows the attacker to load a bitmap file containing a shellcode onto the target system. The fourth and last technique uses self-executable files to download a document on the user’s system which can then set the malware into motion.
The documents used and the information shown to the victims allowed researchers to put a timestamp on the operation. CVE-2017-0199 was successfully patched in September, while President Abbas’s announcement of turning the palace into a national library came in August. After the malware begins its action, a file by the name ‘abbas.rtf’ appears on the victim’s system. The document that is used to land the malware onto the system talks about dissolving of the Palestinian government, which again took place in August 2017.
The fact that all these relate to Palestine indicates that most of the victims belong to that region. While the malware is still quite evasive and difficult to detect, researchers say that there’s not a whole lot of things which the attackers can do once the malware is deployed. However, this news can’t really provide relief, since researchers also say that this might be because the malware itself is still under development. Once fully developed, there’s no telling what the attackers could do with the infected systems.
This is not the first time that hackers have used political events to lure victims and create problems. Also, this isn’t the first time that malware owners have targeted Palestinian citizens using political events. The Google+ and Pinterest profiles used in the TopHat campaign were labeled Donald Trump and President Abbas. While the Scote family is not very dangerous yet, the fact that attackers can download it to systems using four different methods and the operation is difficult to detect is a sure sign of worry. Palo Alto Networks Unit 42 will continue its investigation and research into the matter.