Iranian nation-state hacking group known as oil rig continues to target government agencies in the Middle East as part of a cyber espionage campaign that uses new backdoors to steal data.
Trend Micro researchers Mohamed Famy, Sheriff Magdi, and Mahmoud Zhodi said, “This campaign exploits legitimate but compromised email accounts to send stolen data to external email accounts controlled by the attackers. do.
While the technique itself is not unprecedented, it is the first time OilRig has employed it in their strategy, demonstrating the continual evolution of techniques to circumvent security protections.
The Advanced Persistent Threat (APT) group, also known as APT34, Cobalt Gypsy, Europium, and Helix Kitten, has been documenting targeted phishing attacks in the Middle East since at least 2014.
The group, affiliated with Iran’s Ministry of Information Security (MOIS), has been involved in its activities, including stealing information using backdoors such as Karkoff, Shark, Marlin, and Saitama in recent attacks in 2021 and 2022. Known to use a diverse set of tools.
The starting point for the latest activity is a .NET-based dropper tasked with delivering four different files, including a main implant (“DevicesSrv.exe”) that steals specific files of interest.
The second stage also uses a dynamic-link library (DLL) file that can retrieve credentials from domain users and local accounts.
The most notable aspect of the .NET backdoor is its exfiltration routine. This includes using stolen credentials to send electronic documents to attacker-controlled email Gmail and Proton Mail addresses.
“Threat actors relay these emails through government exchange servers using valid accounts with stolen passwords,” said the researchers.
The campaign’s connection to APT34 stems from similarities between the first-stage dropper and Saitama, victim patterns, and the use of internet-connected exchange servers as a communication method observed in the case of Karkoff.
If anything, the growing number of malicious tools associated with OilRig gives attackers the “flexibility” to create new malware based on the targeted environment and the privileges they possess at specific stages of an attack. is shown.
“Despite the simplicity of the routine, the novelty of the second and final stages shows that this entire routine is just one part of a larger campaign targeting governments,” the researchers said. says.
