Sphinx - Targeted cyber-attack in the Middle East

A common method attackers use to hide their trace is to cloak malicious exe files with Word or PDF icons so that users will not tell the difference without looking into the file attribution or property. The Sphinx attackers adopt it as well, but they also attempt to conceal the attacks by making the master program “invisible”. In our analysis, Sphinx’ master program was found to be disguised with Word icon in order to trap users to click. Upon clicking, the master program released several DLL files. The files can be categorized into 9 types of plugin modules by functionality. The core DLL fill could be self-started after registering as a plugin of the resource management panel. Then, based on different configurations, remote injection was triggered to inject other functional DLL to corresponding running process. This way, when the malware was running, the master program had already been split into several imperceptible pieces. That decreases the risk for the targets to realize the existence of the malware. Multiple encryption algorithms were adopted simultaneously to hamper the detection.

PDF Download