Iranian Group OilRig is back and delivers digitally signed malware

ClearSky Security discovered a new campaign conducted by the Iranian OilRig APT leveraging digitally signed malware and fake University of Oxford domains.

The OilRig hacker group is an Iran-linked APT that has been around since at least 2015.

Researchers at Palo Alto Networks have been monitoring the group for some time and have reported attacks launched against government agencies, financial institutions and technology companies in Saudi Arabia, Israel, the United Arab Emirates, Lebanon, Kuwait and Qatar, the United States, and Turkey. 

The name OilRig was used by Palo Alto Networks to identify the campaign of this specific threat actor that leveraged on weaponized Microsoft Excel spreadsheets tracked as “Clayslide” and a backdoor called “Helminth.”

Hackers signed the malicious VPN client with a valid code-signing certificate issued by Symantec to a US-based software company called AI Squared. The researchers also discovered a second sample of the Helminth malware signed with another certificate.

“Another Helminth sample, 1c23b3f11f933d98febfd5a92eb5c715, was signed with a different AI Squared code signing certificate:

Thumbprint: 92B8C0872BACDC226B9CE4D783D5CCAD61C6158A
Serial number:62 E0 44 E7 37 24 61 2D 79 4B 93 AF 97 46 13 48

This suggest that the attackers had got a hold of an AI Squared signing key, potentially after compromising their network. Alternatively, the attackers might have got Symantec to issue them a certificate under AI Squared’s name.” states the analysis.

Researchers also discovered other attacks in which the OilRig group used four domain names apparently belonging to Oxford University (including oxford-symposia[.]com, oxford-careers[.]com, oxford[.]in and oxford-employee[.]com).

In one case the hackers set up a fake Oxford conference registration website, when the victims visited it they were instructed to install a tool allegedly needed for pre-registration that hides a malware. Also in this case, the tool is signed with an AI Squared certificate.

In December 2015, researchers at Symantec detailed the activities of two Iran-based hacker groups, dubbed Cadelle and Chafer, that used the backdoor.Cadelspy and backdoor.Remexi to spy on Iranian individuals and Middle Eastern organizations.

The IP address 83.142.230.138 mentioned in the Symantec report linked to the C&C infrastructure used by the Chafer group is the same used by the OilRig.

“Backdoor.Remexi, one of the malware in use by Chafer, had the following  command and control host:

87pqxz159.dockerjsbin[.]com

Interestingly, IP address  83.142.230.138, which serve as a command and control address for an OilRig related sample (3a5fcba80c1fd685c4b5085d9d474118), was pointed to by 87pqxz159.dockerjsbin[.]com as well.”

This circumstance suggests that the Chafer and Oilrig are the same Iranian entity.

Further technical details and Indicators of Compromise are available in the ClearSky report.

Pierluigi Paganini

(Security Affairs – OilRig Campaign, Helminth Backdoor)

[adrotate banner=”5″]

[adrotate banner=”13″]

UPDATE