Experts from Palo Alto Networks spotted a new campaign launched by the notorious APT group OilRig against an organization within the government of the United Arab Emirates (UAE).
The OilRig hacker group is an Iran-linked APT that has been around since at least 2015.
Researchers at Palo Alto Networks have been monitoring the group for some time and have reported launched against government agencies, financial institutions and technology companies in Saudi Arabia, Israel, the United Arab Emirates, Lebanon, Kuwait and Qatar, the United States, and Turkey.
The name Palo Alto Networks to identify the campaign of this specific threat actor that leveraged on weaponize Microsoft Excel spreadsheets tracked as “Clayslide” and a backdoor called “Helminth.”
In July 2017, OilRig started using a new strain of backdoor dubbed ISMAgent, which was developed based on the ISMDoor RAT.
In August 2017, researchers with PaloAlto Networks observed the group using a new malware dubbed ISMInjector.
“As its name suggests, ISMInjector is a Trojan that is responsible for injecting a Trojan into another process. The payload embedded within the ISMInjector sample delivered in this attack is a variant of the ISMAgent backdoor that we had discussed in detail in our blog discussing a targeted attack on a Saudi Arabian technology company.” reads the analysis published by PaloAlto Networks.
The ISMInjector tool has a modular architecture and implements sophisticated anti-analysis techniques that were not previously exploited by the OilRig group.
In the attack against the UAE government, OilRig hackers delivered their malware using spear-phishing emails with weaponized documents, the emails were having the subject line “Important Issue.”
An interesting aspect of the attack against the UAE government, it that the spear-phishing messages were sent from the targeted organization’s own domain. The hackers used a compromised Outlook Web Access (OWA) account whose credentials attackers obtained in a previous phishing attack.
“This string in the header suggests that the OilRig actor is likely to have used the targeted organization’s Outlook Web Access (OWA) to send the phishing email using Firefox 36.” continues the analysis.
“Using information from our research in the Striking Oil blog, we know the OilRig group has conducted credential harvesting campaigns specifically by emulating OWA login sites. Based on that research and this observation, we postulate that the OilRig group gathered credentials to a legitimate user’s OWA account and logged into the user’s account to send phishing attacks to other individuals within the same, targeted organization.”
The weaponized documents delivered the ISMInjector Trojan, which in turn dropped a variant of the ISMAgent backdoor by injecting it into a remote process it created.
The malware implements a “state machines” approach to create a new process and inject the malicious payload into that process. Each state is responsible for carrying on particular action and it specifies the next state that should be executed.
The states are not executed in sequential order making hard the analysis by security researchers, authors also used a crypter as anti-analysis mechanism.
OilRig is just one of the Iran-linked hacker crews, other groups tracked by security experts are APT33, Rocket Kitten, Cobalt Gypsy (Magic Hound), Charming Kitten (aka Newscaster and NewsBeef) and CopyKittens.
(Security Affairs – Iran, OilRig)