BlackOasis is the name given to an Advanced Persistent Threat (APT) group of hackers that deliver highly-targeted attacks against specific victims from the Middle Eastern region. The group uses events from the contemporary news cycle to craft spear-phishing emails and decoy documents used to hide the threatening activity of their toolkit. Among the targets of BlackOasis APT are UN representatives, regional news correspondents, regional entities, international activists, and think tanks. The geological spread of detected victims spans the countries Russia, Nigeria, Iraq, Libya, Jordan, Saudi Arabia, Iran, Bahrain, the Netherlands, Angola, the UK and Afghanistan.
The hackers specialize in the exploitation of zero-day vulnerabilities, mainly affecting Adobe Flash. So far, infosec researchers have observed BlakcOasis campaigns taking advantage of five different zero-day vulnerabilities:
- CVE-2015-5119 – June 2015
- CVE-2016-0984 – June 2015
- CVE-2016-4117 – May 2016
- CVE-2017-8759 – Sept 2017
- CVE-2017-11292 – Oct 2017
The final payload delivered in the attacks by BlackOasis has almost always been from the FinSpy family.
Complex Attack Chain
BlackOasis APT employs a sophisticated multi-stage attack chain. In the campaign exploiting the CVE-2017-11292 vulnerability - a memory corruption vulnerability that exists in the 'com.adobe.tvsdk.mediacore.BufferControlParameters' clas, the initial foothold was established through the distribution of a corrupted Office document that carried an embed ActiveX object leveraging the Flash exploit. Upon successful execution, the first-stage shellcode contacts a hardcoded address at 'hxxp://89.45.67[.]107/rss/5uzosoff0u.iaf' from which it delivers and executes a second-stage shellcode. During this step of the attack, the executed shell code acts as a dropper for the actual malware payload, but that is not the only task it must perform. It also downloads the decoy document that will be displayed to the user.
The final FinSpy payload is delivered as a file named 'mo.exe.' When executed, it creates files in five specific locations:
Among the delivered files, 'AdapterTroubleshooter.exe' is a legitimate binary that is nonetheless exploited as part of a DLL search order hijacking technique. The file 'd3d9.dll,' on the other hand, is corrupted and, after being loaded by the legit binary, is responsible for injecting the FinSpy payload into the Winlogon process.