Malware Warning (In Emails and Websites) - DistySky

DustySky is a multi-stage malware written in .NET (recently ported to C++). It is composed of a DustySky dropper, DustySky core, and the DustySky keylogging component. It has been developed and used since May 2015 by Molerats (aka "Gaza cybergang"), a terrorist group whose main objective in this campaign is intelligence gathering.


A wave of malicious email messages has been sent on a weekly basis to hundreds of targets. The email message and the lure documents are written in Hebrew, Arabic or English. The attackers would send a malicious email message that either links to an archive file (RAR or ZIP compressed) or has one attached to it.

The archive contains an .exe file, sometimes disguised as a Microsoft Word file, a video, or another file format, using the corresponding icon. We have also found samples that use Microsoft Word files embedded with a malicious macro, which would infect the victim if enabled. In all cases the attackers rely on social engineering - convincing the victim to open the file (and enabling content if it is disabled) - and not on software vulnerabilities.

In addition to DustySky, the attackers use publicly available tools such as the following Remote Administration Tools (RAT): Poison ivy, Nano Core, XtremeRAT, DarkComet and Spy-Net. These tools have been used either following an initial DustySky infection, or by themselves.

Targeted sectors are mostly governmental and diplomatic institutions including embassies; companies from the aerospace and defense Industries; financial institutions; journalists; software developers. Most targets are from the Middle East, some are in the United States and Europe.

The malware scans the computer for files that contain certain keywords. The list of keywords, in base64 format, is retrieved from the command and control server as a text file. For example: Keywords found in the scripts indicate what information the attackers are after which is - information pertaining to homeland security and military issues; personal documents; credentials, certificates and private keys.

While this is not targeted directly at US private business, unrelated to government dealings, you could get caught in the middle and have your data pulled and used in the dark web at some point.

So as always stay safe and alert when opening emails and going to websites!!


Featured Posts