<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p>&nbsp;<img src="http://info.threatstop.com/hubfs/magic%20hound.jpg" alt="magic hound.jpg" width="454" height="303"></p> <p>Magic Hound, as dubbed by researchers at <a href="http://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/">Palo Alto Networks</a>, is a targeted espionage campaign against Saudi Arabian government, energy and technology industries. The campaign utilized a common phishing tactic, embedding macros into Word and Excel documents. If the victim enabled macros on the document, Powershell scripts downloaded additional malware onto their computer, such as the open-source Python RAT, <a href="https://github.com/n1nj4sec/pupy">Pupy</a>.</p> <!--more--> <p>Similarities between the likely Iranian-based threat actor “Rocket Kitten” and Magic Hound group were noticed, with clues including the use of a shared Command and Control IP to distribute their malware. Researchers also <a href="http://www.securityweek.com/iranian-spies-target-saudi-arabia-magic-hound-attacks">noted</a> an overlap in infrastructure with the domains used in the recent Shamoon 2 campaign, which also targeted Saudi Arabian companies.</p> <p>ThreatSTOP customers are protected from Magic Hound if they have the TSCritical target enabled in their policy.</p></span>
