In an ongoing cyber espionage campaign that uses a new backdoor to exfiltrate data, the Iranian nation-state hacker group OilRig has continued to target Middle Eastern governments. Researchers at Trend Micro, Mohamed Fahmy, Sherif Magdy, and Mahmoud Zohdy, explained that the effort “abuses legitimate but hacked email accounts to deliver stolen data to external mail accounts controlled by the attackers.”
Although the strategy in and of itself is not new, OilRig is the first to include it in its playbook, demonstrating the ongoing advancement of its strategies for getting beyond security measures. Since at least 2014, targeted phishing assaults by the advanced persistent threat (APT) group, also known as APT34, Cobalt Gypsy, Europium, and Helix Kitten, have been reported in the Middle East.
Backdoor’s Exfiltration Procedure For Credentials
The gang, which is associated with Iran’s Ministry of Intelligence and Security (MOIS), is known to deploy a wide range of tools in its operations. Recent attacks in 2021 and 2022 included backdoors like Karkoff, Shark, Marlin, and Saitama to steal information.
The latest activity begins with a.NET-based dropper that has four separate files to deliver, including the main implant (“DevicesSrv.exe”) in charge of smuggling out particular files of interest.
The second stage also uses a dynamic-link library (DLL) file that can collect login information from local and domain accounts.
The.NET backdoor’s exfiltration procedure, which entails exploiting the credentials that have been obtained to send emails to actor-controlled Gmail and Proton Mail addresses, is its most prominent feature. According to the researchers, “the threat actors send these emails over government Exchange Servers using fictitious accounts with stolen passwords.”
The first-stage dropper and Saitama share characteristics with the campaign that are comparable to APT34, as do the victimology patterns and the usage of internet-facing exchange servers as a communication strategy, as was the case with Karkoff.
If anything, the increase in harmful tools connected to OilRig shows the threat actor’s “flexibility” to create new malware depending on the environments it targets and the privileges it has at a certain point in the attack.
Despite the routine’s simplicity, the researchers noted that the second and final steps’ uniqueness suggested that it might only be a minor portion of a more significant attack on governments.
Previous Attacks With Iranian OilRig Hackers
OilRig has been going on since at least 2014. It is also known as APT34, Helix Kitten, and Cobalt Gypsy, and it is thought that the Iranian government is behind it. So far, the group has been seen going after companies in the chemical, energy, financial, government, and telecommunications industries.
At the end of April 2022, security researchers from Fortinet and Malwarebytes found a malicious Excel document the hacking group sent to the Jordanian diplomat. The document was meant to drop a new backdoor called Saitama.
OilRig is a threat actor that has been active since 2015. It mostly goes after financial and government organizations in the U.S. and the Middle East. In recent attacks, the group has been seen to use multiple tools, quickly pick up new exploits, and switch to new Trojans.
Nyotron now says that OilRig’s hackers latest campaign used about 20 tools, some of which were already available and some had never been seen before. In addition to stealing data, the group has put a lot of effort into getting around network-level security products to get a foothold in the environments they are after.
Nyotron’s report (PDF) shows that since November 2017, a notorious threat group with ties to Iran has been going after different organizations in the Middle East using new tactics, techniques, and procedures (TTPs). These include using Google Drive and SmartFile for command and control (C&C) purposes.
Conclusion
The Iranian nation-state hacker group OilRig has kept going after Middle Eastern governments in a cyber espionage campaign that uses a new backdoor to get information out. Researchers at Trend Micro named Mohamed Fahmy, Sherif Magdy, and Mahmoud Zohdy said that the effort “uses legitimate but hacked email accounts to send stolen data to external mail accounts controlled by the attackers.” Even though the strategy itself isn’t new, OilRig is the first to add it to its playbook. This shows how its methods for getting around security measures are always getting better. The advanced persistent threat (APT) group, also known as APT34, Cobalt Gypsy, Europium, and Helix Kitten, has been using targeted phishing attacks in the Middle East at least since 2014.
