The
Iranian
nation-state
hacking
group
known
as
OilRig
has
continued
to
target
government
organizations
in
the
Middle
East
as
part
of
a
cyber
espionage
campaign
that
leverages
a
new
backdoor
to
exfiltrate
data.
“The
campaign
abuses
legitimate
but
compromised
email
accounts
to
send
stolen
data
to
external
mail
accounts
controlled
by
the
attackers,”
Trend
Micro
researchers
Mohamed
Fahmy,
Sherif
Magdy,
and
Mahmoud
Zohdy
said.
While
the
technique
in
itself
is
not
unheard
of,
the
development
marks
the
first
time
OilRig
has
adopted
it
in
its
playbook,
indicating
the
continued
evolution
of
its
methods
to
bypass
security
protections.
The
advanced
persistent
threat
(APT)
group,
also
referred
to
as
APT34,
Cobalt
Gypsy,
Europium,
and
Helix
Kitten,
has
been
documented
for
its
targeted
phishing
attacks
in
the
Middle
East
since
at
least
2014.
Linked
to
Iran’s
Ministry
of
Intelligence
and
Security
(MOIS),
the
group
is
known
to
use
a
diverse
toolset
in
its
operations,
with
recent
attacks
in
2021
and
2022
employing
backdoors
such
as
Karkoff,
Shark,
Marlin,
and
Saitama
for
information
theft.
The
starting
point
of
the
latest
activity
is
a
.NET-based
dropper
that’s
tasked
with
delivering
four
different
files,
including
the
main
implant
(“DevicesSrv.exe”)
responsible
for
exfiltrating
specific
files
of
interest.
Also
put
to
use
in
the
second
stage
is
a
dynamic-link
library
(DLL)
file
that’s
capable
of
harvesting
credentials
from
domain
users
and
local
accounts.
The
most
notable
aspect
of
the
.NET
backdoor
is
its
exfiltration
routine,
which
involves
using
the
stolen
credentials
to
send
electronic
missives
to
actor-controlled
email
Gmail
and
Proton
Mail
addresses.
“The
threat
actors
relay
these
emails
via
government
Exchange
Servers
using
vaild
accounts
with
stolen
passwords,”
the
researchers
said.
The
campaign’s
connections
to
APT34
stems
from
similarities
in
between
the
first-stage
dropper
and
Saitama,
the
victimology
patterns,
and
the
use
of
internet-facing
exchange
servers
as
a
communication
method,
as
observed
in
the
case
of
Karkoff.
If
anything,
the
growing
number
of
malicious
tools
associated
with
OilRig
indicates
the
threat
actor’s
“flexibility”
to
come
up
with
new
malware
based
on
the
targeted
environments
and
the
privileges
possessed
at
a
given
stage
of
the
attack.
“Despite
the
routine’s
simplicity,
the
novelty
of
the
second
and
last
stages
also
indicate
that
this
entire
routine
can
just
be
a
small
part
of
a
bigger
campaign
targeting
governments,”
the
researchers
said.
this
article
interesting?
Follow
us
on
and
to
read
more
exclusive
content
we
post.
About Author
