February 3, 2023Rabbi LakshmananCyber ​​Espionage / Cyber ​​Threat

Iranian nation-state hacking group known as oil rig continues to target government agencies in the Middle East as part of a cyber espionage campaign that uses new backdoors to steal data.

Trend Micro researchers Mohamed Fahmy, Sherif Magdy and Mahmoud Zohdy said: Said.

While the technique itself is not unprecedented, it is the first time OilRig has employed it in their strategy, demonstrating the continual evolution of techniques to circumvent security protections.

The Advanced Persistent Threat (APT) group, also known as APT34, Cobalt Gypsy, Europium, and Helix Kitten, documented Targeted phishing attacks have been occurring in the Middle East since at least 2014.

The group, affiliated with Iran’s Ministry of Information and Security (MOIS), used backdoors such as Karkoff, Shark, Marlin, and Saitama to steal information in recent attacks in 2021 and 2022, and varied its operations. known to use a powerful toolset.

The starting point of the latest activity is a .NET-based dropper tasked with delivering four different files, including a main implant (“DevicesSrv.exe”) that steals specific files of interest.

Also used in the second stage is a dynamic link library (DLLs) file that can collect credentials from domain users and local accounts.

The most notable aspect of the .NET backdoor is its exfiltration routine, which involves sending electronic documents to attacker-controlled email Gmail and Proton Mail addresses using stolen credentials.

“Threat actors use valid accounts with stolen passwords to relay these emails through government exchange servers,” said the researchers.

The campaign’s connection to APT34 stems from similarities between the first-stage dropper and Saitama, victim patterns, and the use of internet-connected exchange servers as a communication method observed in the case of Karkoff.

If anything, the growing number of malicious tools associated with OilRig is a testament to attackers creating new malware based on the target environment and privileges possessed during specific stages of an attack. shows flexibility.

“Despite the simplicity of the routine, the novelty of the second and final stages shows that this entire routine is just one part of a larger campaign targeting governments,” the researchers said. says.

Did you find this article interesting?Please follow us twitter and LinkedIn To read more exclusive content that we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog