Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

Iranian OilRig Hackers Using New Backdoor to Exfiltrate Data from Govt. Organizations

Feb 03, 2023Ravie LakshmananCyber Espionage / Cyber Threat

Exfiltrate Data

The Iranian nation-state hacking group known as
OilRig has continued to target government
organizations in the Middle East as part of a cyber espionage
campaign that leverages a new backdoor to exfiltrate data.

“The campaign abuses legitimate but compromised email accounts
to send stolen data to external mail accounts controlled by the
attackers,” Trend Micro researchers Mohamed Fahmy, Sherif Magdy,
and Mahmoud Zohdy said[1].

While the technique in itself is not unheard of, the development
marks the first time OilRig has adopted it in its playbook,
indicating the continued evolution of its methods to bypass
security protections.

The advanced persistent threat (APT) group, also referred to as
APT34, Cobalt Gypsy, Europium, and Helix Kitten, has been documented[2]
for its targeted phishing attacks in the Middle East since at least
2014.

Linked to Iran’s Ministry of Intelligence and Security (MOIS),
the group is known to use a diverse toolset in its operations, with
recent attacks in 2021 and 2022 employing backdoors such as
Karkoff[3], Shark, Marlin[4], and Saitama[5]
for information theft.

The starting point of the latest activity is a .NET-based
dropper that’s tasked with delivering four different files,
including the main implant (“DevicesSrv.exe”) responsible for
exfiltrating specific files of interest.

Also put to use in the second stage is a dynamic-link library
(DLL[6]) file that’s capable of
harvesting credentials from domain users and local accounts.

The most notable aspect of the .NET backdoor is its exfiltration
routine, which involves using the stolen credentials to send
electronic missives to actor-controlled email Gmail and Proton Mail
addresses.

“The threat actors relay these emails via government Exchange
Servers using vaild accounts with stolen passwords,” the
researchers said.

The campaign’s connections to APT34 stems from similarities in
between the first-stage dropper and Saitama, the victimology
patterns, and the use of internet-facing exchange servers as a
communication method, as observed in the case of Karkoff[7].

If anything, the growing number of malicious tools associated
with OilRig indicates the threat actor’s “flexibility” to come up
with new malware based on the targeted environments and the
privileges possessed at a given stage of the attack.

“Despite the routine’s simplicity, the novelty of the second and
last stages also indicate that this entire routine can just be a
small part of a bigger campaign targeting governments,” the
researchers said.

Found this article interesting? Follow us on Twitter [8]
and LinkedIn[9]
to read more exclusive content we post.

References

  1. ^
    said
    (www.trendmicro.com)
  2. ^
    documented
    (cyware.com)
  3. ^
    Karkoff
    (thehackernews.com)
  4. ^
    Shark,
    Marlin     (thehackernews.com)
  5. ^
    Saitama
    (thehackernews.com)
  6. ^
    DLL
    (learn.microsoft.com)
  7. ^
    Karkoff
    (thehackernews.com)
  8. ^
    Twitter
     (twitter.com)
  9. ^
    LinkedIn
    (www.linkedin.com)

Read more