Fidelis Threat Advisory #1012
Gathering in the Middle East, Operation STTEAM
In the past week, we have observed an increase attack activity against the Oil & Gas industry in the Middle East by a group of threat actors using the following handle: “STTEAM”. The group has also been observed attacking and compromising state government websites in the same area.
This group has compromised web pages from various organizations in the Middle East and have added some specific strings. We are providing those strings to local authorities to assist in identifying victim organizations.
Some of the compromised servers will display the following screen when accessed:
Once the websites are compromised, the group has been observed uploading two ASP Shell Backdoors. One of these ASP Shell Backdoors contains words in Turkish and appears to have been developed by someone going by the following handle:
This backdoor lets the attacker obtain system information, connect to SQL databases, list tables and execute commands, browse directories, perform file manipulations (upload, download, copy, delete, modify, searches, etc.), and perform folder manipulations (delete, copy, etc.).
The other ASP Shell Backdoor appears to be known as “K-Shell/ ZHC Shell 1.0 / Aspx Shell” and developed by two persons going by the handles of:
XXx_Death_xXX and ZHC
(firstname.lastname@example.org / ZCompany Hacking Crew • hxxp://www.zone-hack[dot]com/)
This backdoor contains most of the same features in the “Zehir4” backdoor, but it adds functionality to add a user to the system, add a user to the administrator’s group, disable the windows firewall, enable RDP, delete IIS logs, and start the netcat utility as a reverse backdoor shell.
We observed an attacker, with following IP address, trying to upload these backdoors into a victim system: “188.8.131.52”.
This document will provide information about these two ASP Shell Backdoors used by the threat actors in a recent incident. The information will provide functionality and network indicators.
To see the full report and findings, visit the Fidelis Threat Advisory #1012 here.