A new cyberattack has been detected in the Middle East, targeting businesses in Saudi Arabia and other nations in the region. The attack utilized an open source tool called Donut, along with a variant of the Wintapix driver, and was first discovered by researchers at cybersecurity company Fortinet. According to the researchers, this driver has been active since at least mid-2020, and has been used in several campaigns over the past few years.
The Donut tool is used to produce x86 or x64 shellcode payloads from .NET Assemblies, which can then be injected into an arbitrary Windows process for in-memory execution. In this attack, the Wintapix driver is loaded into the kernel, where an embedded shellcode is injected into a suitable process local system privilege, and then loads and executes an encrypted .NET payload.
Fortinet’s telemetry shows a notable increase in the number of lookups for this driver in August and September 2022, and again in February and March 2023. This suggests that the threat actor behind the driver was operating major campaigns on these dates. 65% of the lookups for the driver were from Saudi Arabia, indicating it was a primary target, according to the research.
While Fortinet researchers are still unsure about who is behind the operation, they note that Iranian threat actors have been known to target Saudi Arabia and other nations in the region. The report said, “observed telemetry shows that while this driver has primarily targeted at Saudi Arabia, it has also been detected in Jordan, Qatar, and the United Arab Emirates, which are the classic targets of Iranian threat actors.”
It is also possible that this driver has been employed alongside Exchange attacks by Iranian threat actors. “To that point, the compilation time of the drivers is also aligned with times when Iranian threat actors were exploiting Exchange server vulnerabilities,” the researchers wrote.
The researchers’ report highlights the importance of vigilance and advanced threat detection measures. As Ciarán Walsh, an associate research engineer at Tenable, notes, “depending on the nature of the attack and sophistication of the threat actor, it is entirely possible for a campaign to go undetected for an extended period of time like this one did.”
Walsh adds, “In espionage, the aim would be to go undetected for however long it takes to achieve those objectives, but in campaigns that aim to cause disruption such as Anonymous Sudan and its DDoS campaigns, being stealthy and maintaining a foothold in a target network is not a priority.”
Open source tools are more likely to be detected, as the security community knows of them and countermeasures and remediation techniques have been developed to counteract them. “Custom tooling is much more difficult to detect as automated systems have little, if any, information about the tool to use as part of their detection mechanisms,” Walsh says. “Attackers do sometimes adopt an approach of using tools already on target systems or within target networks.”
The living-off-the-land approach, used by China-backed APT Volt Typhoon, is an example of attackers using built-in tools and processes to gain access to target networks. Walsh notes that this approach allows for stealth, as there is no execution of suspicious programs or scripts that would trigger an alert. Rather, the attackers use tools built into operating systems, which are less likely to trigger an alert or be deemed suspicious.
As the threat landscape continues to evolve, it is vital that organizations prioritize the implementation of advanced threat detection measures and stay vigilant against potential attacks. The targeted cyberattacks in the Middle East serve as a stark reminder of the need for increased cybersecurity measures and constant vigilance in the face of evolving threats.