Middle East Under Attack: The Desert Dexter Campaign

Summary

CRIL came across a blog published by Positive Technologies Expert Security Center (PT ESC) detailing a malicious cyber campaign targeting the Middle East and North Africa since September 2024. The campaign, attributed to a threat actor named "Desert Dexter", exploits social media platforms to distribute malware, leveraging the region's geopolitical climate. Attackers create fake news groups and post ads with links to file-sharing services or Telegram channels, leading to a modified version of AsyncRAT. This malware is designed to steal cryptocurrency wallets and communicate with a Telegram bot.

The campaign has impacted approximately 900 victims across Egypt, Libya, the UAE, Russia, Saudi Arabia, and Turkey. While a similar operation was observed in 2019, the attackers have evolved their tactics.

Technical Analysis

The investigation revealed that the Desert Dexter group strategically creates temporary Facebook accounts and fake news channels* to distribute malware. These channels post deceptive advertisements containing links to file-sharing services (e.g., Files[.]fm) or Telegram channels that host malicious files. The ads are designed to mimic legitimate media sources such as Libya Press, Sky News, Alhurra TV, and others.

Malware Delivery & Execution

Once a victim clicks the link, they download a RAR archive containing either BAT or JavaScript files. These files execute a PowerShell script, which triggers the second stage of the attack by:

• Terminating key .NET processes that could interfere with execution (e.g., CCleanerBrowser.exe, aspnet_regbrowsers.exe, aspnet_compiler.exe, AppLaunch.exe, InstallUtil.exe, jsc.exe, MSBuild.exe, RegAsm.exe, cvtres.exe, RegSvcs.exe).

• Deleting evidence of execution by removing BAT, PS1, and VBS files.

• Creating persistence by modifying Windows registry startup entries.

• Generating a unique device ID stored in %APPDATA%\device_id.txt.

• Gathering system information (e.g., device ID, public IP, antivirus details).

• Taking a screenshot and sending it to the attacker’s Telegram bot.

The malware finally executes in memory by injecting itself into Windows system files, such as aspnet_compiler.exe, to avoid detection.

AsyncRAT Modifications & Capabilities

This version of AsyncRAT is modified to target cryptocurrency wallets and bypass two-factor authentication extensions, specifically:

• Browser-based wallets: MetaMask, Binance Wallet, Trust Wallet, and others.

• Desktop wallet applications: Atomic Wallet, Binance, Electrum, Ledger Live, and more.

• Two-factor authentication extensions (e.g., Authenticator F2A).

Additionally, the malware includes a keylogger that records keystrokes and active applications, saving logs to %TEMP%\Log.tmp.

Network Infrastructure & Attribution

The attackers rely on DDNS domains with VPN-based IP addresses, making tracking difficult. However, analysis of these IPs suggests a small, dedicated infrastructure linking them to previous malicious activity.

A potential Desert Dexter member was identified through screenshots captured by the malware. These images revealed:

• A system named “DEXTER” or “DEXTERMSI”, suggesting the attacker's alias.

• Arabic-language comments in PowerShell scripts, indicating regional origins.

• A Telegram channel with "dexter" and "ly" in its name, hinting at a Libyan connection.

Victim Profile

Approximately 900 victims have been identified across Egypt, Libya, the UAE, Russia, Saudi Arabia, and Turkey, spanning multiple industries. Analysis of messages from the attacker’s Telegram bot, particularly Device ID logs and desktop screenshots, confirmed infections. While most victims are ordinary users, some are employees in critical sectors such as oil production, construction, information technology, and agriculture.

Recommendations

• Avoid clicking on social media ads or links claiming to reveal leaked intelligence, especially those hosted on file-sharing services or Telegram channels. Always verify news from trusted sources before engaging.

• Use reliable antivirus software, enable firewall protection, and regularly update operating systems and applications. Implement application whitelisting to prevent unauthorized scripts like BAT, JS, and PowerShell from executing.

• Train employees and individuals to recognize social engineering tactics, such as fake news and politically charged phishing attempts. Encourage the use of multi-factor authentication (MFA) and strong, unique passwords for critical accounts.

Conclusion

The Desert Dexter campaign highlights how geopolitical tensions in the Middle East and North Africa are exploited for cyberattacks, targeting both individuals and critical industries. While the tools used are not highly sophisticated, the strategic use of Facebook ads, fake news, and legitimate services has proven effective in spreading malware. By leveraging political lures and claims of leaked intelligence, the attackers have created a scalable and adaptable kill chain. This incident underscores the growing risk of social media-driven cyber threats in the region.