In July 2018, Unit 42 analyzed a targeted attack using a novel file type against at least one government agency in the Middle East. It was carried out by a previously unpublished threat group we track as DarkHydrus. Based on our telemetry, we were able to uncover additional artifacts leading us to believe this adversary group has been in operation with their current playbook since early 2016. This attack diverged from previous attacks we observed from this group as it involved spear-phishing emails sent to targeted organizations with password protected RAR archive attachments that contained malicious Excel Web Query files (.iqy).
Also known as
LazyMeerkat, G0079, Obscure Serpens.
References
- researchcenter.paloaltonetworks.com
- mobile.twitter.com
- ti.360.net
- unit42.paloaltonetworks.com
- unit42.paloaltonetworks.com
- attack.mitre.org
- unit42.paloaltonetworks.com
Actor metadata imported from Malpedia (Fraunhofer FKIE).