Authors:

Klimentiy Galkin, Junior Threat Intelligence Specialist, Positive Technologies Expert Security Center

Stanislav Pyzhov, Lead Threat Research Specialist, Positive Technologies Expert Security Center

• We have detected a malicious campaign targeting the Middle East and North Africa.
• The campaign, which leverages social media to distribute malware, is tied to the region's current geopolitical climate.
• The attackers host malware in legitimate online file-sharing accounts or Telegram channels set up specially for this purpose.
• The malware itself is a modified version of AsyncRAT.
• Since fall 2024, approximately 900 victims have been identified in various countries.

In February, the Threat Intelligence Department team at the Positive Technologies Expert Security Center (PT ESC) discovered a malicious campaign targeting the Middle East and North Africa and active since September 2024. To distribute malware, the attackers create fake news groups on social media and publish advertisements containing links to a file-sharing service or Telegram channel. These links lead to a version of the AsyncRAT malware, modified to look for cryptocurrency wallets and communicate with a Telegram bot. A similar campaign was described by Check Point in 2019, but some of the techniques used in the kill chain have evolved since then.

Detailed analysis of the incidents and victims showed that Egypt, Libya, the UAE, Russia, Saudi Arabia, and Turkey were the most targeted countries. We have named the threat actor "Desert Dexter", after one of the suspected attackers. This story contains the full breakdown of their kill chain.

Our investigation has found that the attackers create temporary accounts and news channels on Facebook*. Later, these channels post ads like those shown below.

This is how the posts appear in the user's feed.

The attackers bypass Facebook's* ad filtering rules, which vary by country. Here is an excerpt from the ad placement policy.

One of the posts in Arabic:

عاجل | تقرير مسرّب من مخا.ـبرات الاسرائـ ـ.ـيلية تكشف عن اجتماع سـ ـ.ـري بين مسؤول إماراتي "طحـ.ـن ون بن زايد" مع مسؤول سوري "ما.هر الأسد" يكشف ان هناك تخطيط لدخول سوريا باستعانة طائرات اسر.ائـ ـيلية  بدعم إماراتي .
لإطلاع على التقرير المسرب : https://files.fm/f/fgcnsf7r8v

Translation into English:

Urgent | A leaked report from Israeli intelligence reveals a secret meeting between an Emirati official "Tahna Bin Zayed" and a Syrian official "Maher Al-Assad" revealing that there is a plan to enter Syria with the help of Israeli aircraft with Emirati support. To view the leaked report: https://files.fm/f/fgcnsf7r8v

The ads also include a link to either Files.fm or Telegram channels that host a malicious file (see Figure 5). A distinct pattern emerges when examining these channel titles: they are trying to look like real media companies:

• Libya Press,
• Sky News,
• Almasar TV,
• The Libya Observer,
• The Times Of Israel,
• Alhurra TV,
• VoiceQatar,
• Step News Agency,
• Watan,
• Al Ain,
• UAE Voice, and others.

The kill chain consists of several stages. The victim receives a RAR archive from a Telegram channel or a link in an ad message. The archive contains either one or two BAT files, or a single JS file. These are designed to run a PowerShell script, which is either downloaded or extracted from a JavaScript file, to trigger the second stage of the attack.

It is worth noting that the comments in the JavaScript file are written in Arabic, possibly indicating the attacker's origin.

In the second stage of the attack, the PowerShell script terminates processes associated with .NET services that could prevent the malware from starting:

• CCleanerBrowser.exe,
• aspnet_regbrowsers.exe,
• aspnet_compiler.exe,
• AppLaunch.exe,
• InstallUtil.exe,
• jsc.exe,
• MSBuild.exe,
• RegAsm.exe,
• cvtres.exe,
• RegSvcs.exe.

It then deletes files with the extensions BAT, PS1, and VBS from C:\ProgramData\WindowsHost and C:\Users\Public, and creates a VBS file in C:\ProgramData\WindowsHost as well as BAT and PS1 files in C:\Users\Public, to run sequentially.

To establish persistence in the system, the script replaces the user startup folder in the registry with C:\ProgramData\WindowsHost by altering the Startup value in the keys Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders and Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders. After that, the PowerShell script generates a GUID for malware installation and saves it in the file %APPDATA%\device_id.txt, gathers system information, and sends it to the attackers' Telegram bot, formatted as follows.

Hack By WORMS:
- Device ID: <Malware installation GUID>
- HWID: <CPU or motherboard ID>
- Public IP: <External IP address>
- Country: <Country>
- Username: <Username>
- Computer Name: <Computer name>
- Antivirus: <Name of installed antivirus>

The script takes a screenshot, saves it as %TEMP%\screenshot.png, and sends it to the Telegram bot.

After all the preparatory steps, the Visual Basic, Batch, and PowerShell scripts run one by one to run/execute in memory the payload. Finally, the malware decodes a custom reflective loader written in C# and attempts to inject code, first into C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, and if that cannot be found, into C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe. Figure 9 shows the full kill chain.

This version of AsyncRAT uses a modified IdSender module, which checks browsers for a two-factor authentication extension and the following crypto wallet extensions:

• Authenticator F2A (Brave, Chrome, Edge);
• Binance Wallet (Chrome, Edge);
• Bitget Wallet (Chrome);
• BitPay (Chrome);
• Coinbase Wallet (Chrome);
• MetaMask (Brave, Chrome, Edge, Firefox, Opera, OperaGX);
• Phantom (Brave, Chrome);
• Ronin Wallet (Chrome);
• TronLink (Chrome);
• Trust Wallet (Chrome).

AsyncRAT also checks for the following crypto wallet applications:

• Atomic Wallet,
• Binance,
• Bitcoin Core,
• Coinomi,
• Electrum Wallet,
• Ergo Wallet,
• Exodus,
• Ledger Live.

Additionally, this modification of AsyncRAT includes a basic offline keylogger. It installs a hook with the help of the SetWindowsHookEx function, and logs pressed keys and the active process name to %TEMP%\Log.tmp.

The AsyncRAT configuration employs DDNS domains whose IP addresses belong to VPN services. However, given the small number of detected malicious files and domains, these IP addresses are essentially unique and can be used for attribution. Below is a diagram of the cluster we discovered, with the domain names exhibiting semantic similarity and the VPN IP addresses belonging to the same provider's network.

Download the network infrastructure being analyzed

While reviewing messages sent to the hackers' Telegram bot, we noticed that some of the screenshots included snippets of a PowerShell script that contained logic for retrieving system information and communicating with the Telegram bot. Additionally, in one of the screenshots, we spotted Luminosity Link RAT, a tool whose creator was arrested in 2018. Some versions of the utility, including the one used by the attacker, can be found on GitHub.

Given that the malware takes a screenshot immediately after the victim's system is infected, a pattern can be identified. The screenshots with the PowerShell script were taken in a system named "DEXTER" or "DEXTERMSI". Furthermore, when a chat with the Telegram bot starts, the user sends a link to a channel that also contains the name dexter in the title. The substring ly in the channel name suggests a possible Libyan origin. This is confirmed by geolocation data sent by the malware and the Arabic comments in the PowerShell script. The attacker's channel showcases hacked iOS applications.

In the course of our analysis, we discovered about 900 potential victims. We identified them by using messages from the Telegram bot, specifically the Device ID field, and desktop screenshots sent to the bot. The majority of victims are ordinary users, including employees in the following sectors:

• Oil production
• Construction
• Information technology
• Agriculture

The Middle East and North Africa remain one of the world's most volatile regions. The geopolitical climate contributes to a significant number of cyberattacks there, aimed at both state agencies and everyday individuals, with these attacks becoming increasingly sophisticated. Political relations between nations are a common phishing lure.

The tools used by Desert Dexter are not particularly sophisticated. However, the combination of Facebook* ads with legitimate services and references to the geopolitical situation has led to the infection of numerous devices. By publishing posts alleging the leakage of confidential data, the group creates a kill chain that is universally applicable for infecting devices of both ordinary users and high-profile officials. We continue to track the activities of Desert Dexter in Arab countries.

Network indicators

File-based indicators

PT Sandbox

YARA rules

Behavioral verdicts

Network verdicts

PT NAD

MaxPatrol SIEM

MaxPatrol EDR

Behavioral verdicts

YARA rules