A new wave of cyber attacks targets the Middle East’s banks

Excel files spreading the malicious stuff

According to the report, the attackers sent multiple emails containing macro-enabled Excel (XLS) files to employees working in the banking sector in various parts of the Middle East.

The messages in the emails were related to IT infrastructure, containing information on logs of Server Status Report or lists of Cisco Iron Port Appliance details, FireEye said.

In one case, the content of the email appeared to be a legitimate email conversation between several employees, even containing contact details of employees from several banks. This email was then forwarded to several people, with the malicious Excel file attached.

This latest development comes hot on the heels of last month’s news that Qatar National Bank (QNB) – the largest bank in the Middle East – had been breached, with 1.4 GB of customer data reportedly being dumped on a file-sharing website before being quickly taken offline. The data included account numbers, customer names and passwords.

However, FireEye’s report does not appear to describe the QNB attack, which has been linked to a Turkish group of cyber criminals known as the Turkish Bozkurt Hackers.

Soon after news of the QNB breach broke, the group claimed responsibility in a video posted online, while also claiming to be behind a breach of United Arab Emirates (UAE)-based Investbank UAE, in December 2015.

In both cases, the banks were sent threats that the data would be posted online if the cyber criminals’ demands were not met. While these threats have not been made public, the assumption among industry insiders is that the motivation behind the attacks was purely financial.

Reconnaissance rather than exploitation

In contrast, the attacks described by FireEye appeared to be more about reconnaissance than exploitation, with the attackers going to great lengths to disguise their actions.  

As an example, FireEye researchers observed a fairly common technique of a user being prompted to run the risky macro codes through a pop-up box, explaining it was required to view “protected content”.

When the user had executed the macro successfully additional content was actually displayed, whereas in most cases nothing happens after the execution of a malicious macro.

According to FireEye, this added to the legitimacy of the malicious files, and could have prevented victims from raising a security alert.

Whether or not the two campaigns are linked, it appears that the region’s banks now face increasingly sophisticated threats.

“The rise of the region as a hub for banking and finance has made it a tempting target for cyber attackers,” FireEye said in its report.