MVISION Insights: Arid Viper APT targets Palestine with Micropsia Malware

Technical Articles ID: KB95472
Last Modified: 4/5/2022

Environment

IMPORTANT: This Knowledge Base article discusses a specific threat that is being automatically tracked by MVISION Insights technology. The content is intended for use by MVISION Insights users, but is provided for general knowledge to all customers. Contact us for more information about MVISION Insights.

Summary

Description of Campaign
The Arid Viper APT, also known as Desert Falcons, targeted entities and activists in Palestine with the Micropsia remote access trojan. The Delphi-based implant was delivered in compressed files delivered in politically themed phishing emails. The malicious software maintained persistence with a shortcut in the Windows Startup folder and gathered and exfiltrated sensitive information to command and control servers.

Our ATR Team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by Cisco Systems and shared publicly.

How to use this article:

If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign.
Review the product detection table and confirm that your environment is at least on the specified content version.
To download the latest content versions, go to the Security Updates page.
Scroll down and review the "Product Countermeasures" section of this article. Consider implementing them if they are not already in place.
Review KB91836 - Countermeasures for entry vector threats.
Review KB87843 - Dynamic Application Containment rules and best practices.
Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event.

This Knowledge Base article discusses a specific threat that's being tracked. The list of IOCs will change over time; check MVISION Insights for latest IOCs.

Campaign IOC

Type	Value
SHA256	C7E74330440FCF8F6B112F5493769DE6CDBDEA5944AB78697AB115C927CBD0A1
SHA256	2D03FF4E5D4D72AFFFD9BDE9225FE03D6DC941982D6F3A0BBD14076A6C890247
SHA256	AA507BBE5D2A32F6E1E3F311C1BAF93FD4707DEF8596083F26683E85972F5AC0
SHA256	E288D7E42C8CDBF0156F008FF7D663F8C8E68FAA2E902D51F3287F1BCEAE79B2
SHA256	1D4E54529FEEF53850F97F39029A906D53F3D4B2AEA8373E27C413324A55681C
SHA256	BC03948CE4D88F32017D4A1725A05341D3FF72A616645D9893B8F5D11068217F
SHA256	F2F36A72CFB25CEF74FF0EA8E3AD1C49C6DC3E128FD60A2717F4C5A225E20DF2
SHA256	895ADB54A13D9EBF3F7215F1BAD77C0C548E7DD4C58C3A338D440520EFCB8FC9
SHA256	8A730266C62FA79435497B1D7DB38011E63B6C53B48593D65C24C36044D92DBA
SHA256	7B9087D91A31D03DD2C235D8DEBF8ED10F4B82C430A236D159E06E7FB47464A9
SHA256	27EAEB7F0195230E22D5BEACC05B7D944AAEC4894FBC02824F59B172E360713F
SHA256	0A55551ADE55705D4BE6E946AB58A26D7CF8087558894AF8799931B09D38F3BC
SHA256	C9D7B5D06CD8AB1A01BF0C5BF41EF2A388E41B4C66B1728494F86ED255A95D48
SHA256	D4E56E3A9DEC89CC32DF78AA4BA8B079AA5E697ED99A1E21E9BD31E85D5D1370
DOMAIN	deangelomcnay.news
DOMAIN	juliansturgill.info
DOMAIN	earlahenry.com
DOMAIN	nicholasuhl.website
DOMAIN	cooperron.me
DOMAIN	dorothymambrose.live
DOMAIN	ruthgreenrtg.live
URL	http://deangelomcnay.news/qWIlIdKf2buIH0k/GbrHoIfRqtE69hH/ZCgbo9EVhYMA8PX
URL	http://deangelomcnay.news/qWIlIdKf2buIH0k/GbrHoIfRqtE69hH/bu5EmpJE7DUfzZD
URL	https://cooperron.me/qWIlIdKf2buIH0k/GbrHoIfRqtE69hH/
URL	https://dorothymambrose.live/hx3FByTR5o3zNZYD/sYkaiHz0Mse13C79dy1I/
URL	http://dorothymambrose.live/hx3FByTR5o3zNZYD/sYkaiHz0Mse13C79dy1I/
URL	https://nicholasuhl.website/X2EYSWlzSZgSUME210Zv/YPPV6kFl2PwwF0TEVHMy/
URL	http://nicholasuhl.website/X2EYSWlzSZgSUME210Zv/YPPV6kFl2PwwF0TEVHMy/
URL	https://earlahenry.com/Ct2azbEP57LtWgmK/lWaPwemAJ3LPFmDH/
URL	http://earlahenry.com/Ct2azbEP57LtWgmK/lWaPwemAJ3LPFmDH/
URL	http://juliansturgill.info/um2NxySaF4L5mSYE/KY1hNeVvrE1XCrKP/

Minimum Content Versions:

Content Type	Version
V2 DAT (VirusScan Enterprise)	10262
V3 DAT (Endpoint Security)	4714

Detection Summary

IOC	Scanner	Detection
C7E74330440FCF8F6B112F5493769DE6CDBDEA5944AB78697AB115C927CBD0A1	AVEngine V2	Trojan-FTFX!4B96FECD0C64
	AVEngine V3	Trojan-FTFX!4B96FECD0C64
	JTI (ATP Rules)	JTI/Suspect.196612!7833c0f413c1
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
2D03FF4E5D4D72AFFFD9BDE9225FE03D6DC941982D6F3A0BBD14076A6C890247	AVEngine V2	Trojan-FTFX!4B96FECD0C64
	AVEngine V3	Trojan-FTFX!4B96FECD0C64
	JTI (ATP Rules)	JTI/Suspect.196612!4b96fecd0c64
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
AA507BBE5D2A32F6E1E3F311C1BAF93FD4707DEF8596083F26683E85972F5AC0	AVEngine V2	Trojan-FTFX!5989F7FBFA84
	AVEngine V3	Trojan-FTFX!5989F7FBFA84
	JTI (ATP Rules)	JTI/Suspect.196612!5989f7fbfa84
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
E288D7E42C8CDBF0156F008FF7D663F8C8E68FAA2E902D51F3287F1BCEAE79B2	AVEngine V2	Trojan-FTFX!4B96FECD0C64
	AVEngine V3	Trojan-FTFX!4B96FECD0C64
	JTI (ATP Rules)	JTI/Suspect.196612!7833c0f413c1
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
1D4E54529FEEF53850F97F39029A906D53F3D4B2AEA8373E27C413324A55681C	AVEngine V2	Trojan-FTFX!907D6C843D84
	AVEngine V3	Trojan-FTFX!907D6C843D84
	JTI (ATP Rules)	JTI/Suspect.196612!907d6c843d84
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
BC03948CE4D88F32017D4A1725A05341D3FF72A616645D9893B8F5D11068217F	AVEngine V2	Generic pws.aia
	AVEngine V3	Generic pws.aia
	JTI (ATP Rules)	JTI/Suspect.196612!c8179e05fbca
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
F2F36A72CFB25CEF74FF0EA8E3AD1C49C6DC3E128FD60A2717F4C5A225E20DF2	AVEngine V2	Trojan-FTFX!D60EDD62EA6F
	AVEngine V3	Trojan-FTFX!D60EDD62EA6F
	JTI (ATP Rules)	JTI/Suspect.196612!d60edd62ea6f
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
895ADB54A13D9EBF3F7215F1BAD77C0C548E7DD4C58C3A338D440520EFCB8FC9	AVEngine V2	Trojan-FTFX!B774DAE8EBAA
	AVEngine V3	Trojan-FTFX!B774DAE8EBAA
	JTI (ATP Rules)	JTI/Suspect.196612!b774dae8ebaa
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
8A730266C62FA79435497B1D7DB38011E63B6C53B48593D65C24C36044D92DBA	AVEngine V2	Trojan-FTFX!8F05571F93E6
	AVEngine V3	Trojan-FTFX!8F05571F93E6
	JTI (ATP Rules)	JTI/Suspect.196612!8f05571f93e6
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
7B9087D91A31D03DD2C235D8DEBF8ED10F4B82C430A236D159E06E7FB47464A9	AVEngine V2	Trojan-FTFX!5989F7FBFA84
	AVEngine V3	Trojan-FTFX!5989F7FBFA84
	JTI (ATP Rules)	JTI/Suspect.196612!ee83e625c2e5
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
27EAEB7F0195230E22D5BEACC05B7D944AAEC4894FBC02824F59B172E360713F	AVEngine V2	Trojan-FTFX!03D654B20820
	AVEngine V3	Trojan-FTFX!03D654B20820
	JTI (ATP Rules)	JTI/Suspect.196612!03d654b20820
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
0A55551ADE55705D4BE6E946AB58A26D7CF8087558894AF8799931B09D38F3BC	AVEngine V2	PWS-FCYC!D96F941C2962
	AVEngine V3	PWS-FCYC!D96F941C2962
	JTI (ATP Rules)	JTI/Suspect.196612!d96f941c2962
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
C9D7B5D06CD8AB1A01BF0C5BF41EF2A388E41B4C66B1728494F86ED255A95D48	AVEngine V2	PWS-FCYC!D96F941C2962
	AVEngine V3	PWS-FCYC!D96F941C2962
	JTI (ATP Rules)	JTI/Suspect.196612!7833c0f413c1
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
D4E56E3A9DEC89CC32DF78AA4BA8B079AA5E697ED99A1E21E9BD31E85D5D1370	AVEngine V2	Trojan-FTFX!907D6C843D84
	AVEngine V3	Trojan-FTFX!907D6C843D84
	JTI (ATP Rules)	JTI/Suspect.196612!7833c0f413c1
	RP Static	-
	RP Dynamic	-

Minimum set of Manual Rules to improve protection to block this campaign:

IMPORTANT: Always follow best practices when you enable new rules and signatures.

When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.

For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.

Endpoint Security - Advanced Threat Protection:

Rule ID: 4 Use GTI file reputation to identify trusted or malicious files

Aggressive set of Manual Rules to improve protection to block this campaign:

IMPORTANT: Always follow best practices when you enable new rules and signatures.

When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.

For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.

VirusScan Enterprise - Access Protection Rules:

Prevent creation of new executable files in the Windows folder

Host Intrusion Prevention:

Rule ID: 6135 Unmanaged Powershell Detected
Rule ID: 2806 Attempt to create a hardlink to a file
Rule ID: 6010 Generic Application Hooking Protection
Rule ID: 6011 Generic Application Invocation Protection
Rule ID: 1148 CMD Tool Access by a Network Aware Application
Rule ID: 1020 Windows Agent Shielding - File Access

Affected Products

MVISION Insights

Knowledge Center

MVISION Insights: Arid Viper APT targets Palestine with Micropsia Malware

Environment

Summary

Affected Products

Title

Title

Knowledge Center

MVISION Insights: Arid Viper APT targets Palestine with Micropsia Malware

Environment

Summary

Affected Products

Choose your region

Title

Title