In recent analysis of malicious activity likely targeting entities based in the Middle East, IBM X-Force Incident Response and Intelligence Services (IRIS) discovered backdoor malware packed with the legitimate Enigma Protector software. We named this malware “EnigmaSpark” per the Enigma Protector and the string “Spark4.2” from a .pdb file path, and published our findings to the X-Force IRIS Enterprise Intelligence Management platform on TruSTAR in early February 2020.
This discovery likely represents politically motivated attempts to target the network environments of entities or organizations that maintain a significant interest in or support of a new Middle East peace plan. The files IBM X-Force IRIS uncovered suggest that attackers crafted detailed and politically charged documents, taking advantage of geopolitical developments in the Middle East. The recipients of these emails are lured into opening malicious attachments, enabling the actor to compromise victim environments with the potential to exfiltrate data of interest or gain the ability to take other actions in compromised environments.
The observed EnigmaSpark campaign appears related to opposition to the recent Middle East peace plan. Based on the contents of the uncovered files and surrounding political events, it’s highly likely the EnigmaSpark activity targets Arabic speakers interested in Palestine’s potential acceptance of the peace plan.
Adversaries using EnigmaSpark likely relied on recipients’ significant interest in regional events or anticipated fear prompted by the spoofed content, illustrating how adversaries may exploit ongoing geopolitical events to enable malicious cyber activity.
The EnigmaSpark activity discovered by IRIS also closely aligns with “The Sp ..
Support the originator by clicking the read the rest link below.
