APT

Iranian Group OilRig is back and delivers digitally signed malware

ClearSky Security discovered a new campaign conducted by the Iranian OilRig APT leveraging digitally signed malware and fake University of Oxford domains.

The OilRig hacker group is an Iran-linked APT that has been around since at least 2015.

Researchers at Palo Alto Networks have been monitoring the group for some time and have reported attacks launched against government agencies, financial institutions and technology companies in Saudi Arabia, Israel, the United Arab Emirates, Lebanon, Kuwait and Qatar, the United States, and Turkey. 

The name OilRig was used by Palo Alto Networks to identify the campaign of this specific threat actor that leveraged on weaponized Microsoft Excel spreadsheets tracked as “Clayslide” and a backdoor called “Helminth.”

Now we have a new update on the activity of the OilRig APT that in a recent string of attacks targeted several Israeli organizations, including IT vendors, the national postal service, and financial institutions.
Security experts from ClearSky discovered that the Iranian hackers set up a fake Juniper Networks VPN portal and used compromised email accounts from IT vendors to lure victims to it.
The hackers used the email accounts of the IT vendors to send messages containing links to the fake VPN portal to the victims.
“The email was sent from a compromised account of an IT vendor. Similar emails were sent from other IT vendors in the same time period, suggesting the attackers had a foothold within their networks, or at least could get access to specific computers or email accounts.” reads the analysis from ClearSky.
When the victims land on the rogue Juniper website, they were instructed to install a VPN client, in this case, attackers used a legitimate software from Juniper Networks packaged with the Helminth malware.

Hackers signed the malicious VPN client with a valid code-signing certificate issued by Symantec to a US-based software company called AI Squared. The researchers also discovered a second sample of the Helminth malware signed with another certificate.

“Another Helminth sample, 1c23b3f11f933d98febfd5a92eb5c715, was signed with a different AI Squared code signing certificate:

Thumbprint: 92B8C0872BACDC226B9CE4D783D5CCAD61C6158A
Serial number:62 E0 44 E7 37 24 61 2D 79 4B 93 AF 97 46 13 48

This suggest that the attackers had got a hold of an AI Squared signing key, potentially after compromising their network. Alternatively, the attackers might have got Symantec to issue them a certificate under AI Squared’s name.” states the analysis.

Researchers also discovered other attacks in which the OilRig group used four domain names apparently belonging to Oxford University (including oxford-symposia[.]com, oxford-careers[.]com, oxford[.]in and oxford-employee[.]com).

In one case the hackers set up a fake Oxford conference registration website, when the victims visited it they were instructed to install a tool allegedly needed for pre-registration that hides a malware. Also in this case, the tool is signed with an AI Squared certificate.

In December 2015, researchers at Symantec detailed the activities of two Iran-based hacker groups, dubbed Cadelle and Chafer, that used the backdoor.Cadelspy and backdoor.Remexi to spy on Iranian individuals and Middle Eastern organizations.

The IP address 83.142.230.138 mentioned in the Symantec report linked to the C&C infrastructure used by the Chafer group is the same used by the OilRig.

“Backdoor.Remexi, one of the malware in use by Chafer, had the following  command and control host:

87pqxz159.dockerjsbin[.]com

Interestingly, IP address  83.142.230.138, which serve as a command and control address for an OilRig related sample (3a5fcba80c1fd685c4b5085d9d474118), was pointed to by 87pqxz159.dockerjsbin[.]com as well.”

This circumstance suggests that the Chafer and Oilrig are the same Iranian entity.

Further technical details and Indicators of Compromise are available in the ClearSky report.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – OilRig Campaign, Helminth Backdoor)

[adrotate banner=”5″]

[adrotate banner=”13″]

UPDATE

Note a new domain that was set up after the post was published…. now alive
Oxford-Symposium[.]com
Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

2 hours ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

6 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

20 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.