Iran-Linked OilRig APT group targets high-ranking office in a Middle Eastern nation

Pierluigi Paganini September 14, 2018

Researchers from the Unit42 at Palo Alto Networks observed Iran-Linked OilRig APT group targeting high-ranking office in a Middle Eastern nation

The Iran-linked APT group OilRig continues to very active, it continues to improve the weapons in its arsenal.

The OilRig hacker group has been around since at least 2015, since then it targeted mainly organizations in the financial and government sectors, in the United States and Middle Eastern countries.

The OilRig APT group was recently observed using a new variant of the OopsIE Trojan that implements news evasion capabilities.

Now researchers from Palo Alto Networks’s Unit 42 have uncovered a new campaign attributed to the group that targeted members of an undisclosed government in the Middle East with an evolved variant of the BondUpdater trojan.

In mid-August, the state-sponsored hackers launched a highly targeted spear-phishing email to a high-ranking office in a Middle Eastern nation.

“In August 2018, Unit 42 observed OilRig targeting a government organization using spear-phishing emails to deliver an updated version of a Trojan known as BONDUPDATER. BONDUPDATER is a PowerShell-based Trojan first discovered by FireEye in mid-November 2017, when OilRig targeted a different Middle Eastern governmental organization.” reads the analysis published by Palo Alto Networks.

“The spear-phishing email had an attached Microsoft Word document that contained a macro responsible for installing a new variant of BONDUPDATER.”

The hackers used spear-phishing emails to deliver an updated version of the PowerShell-based BondUpdater Trojan. The BONDUPDATER Trojan supports implements common backdoor features such as uploading and downloading files, as well as executing commands on the infected system.

“The BondUpdater trojan contains basic backdoor functionality, allowing threat actors to upload and download files, as well as the ability to execute commands,” continues the analysis published by Palo alto Networks.

“BONDUPDATER, like other OilRig tools, uses DNS tunneling to communicate with its C2 server. During the past month, Unit 42 observed several attacks against a Middle Eastern government leveraging an updated version of the BONDUPDATER malware, which now includes the ability to use TXT records within its DNS tunneling protocol for its C2 communications.”

The spear-phishing messages use a weaponized document with a macro responsible for downloading and executing a new variant of BondUpdater.

The macro runs the VBScript “AppPool.vbs” that creates a scheduled task that is execute every minute to ensure persistence to the BONDUPDATER Trojan.

The malware checks that only one instance of it is running at one time, it also locks files to determine how long the main PowerShell process has been executing.

If the main PowerShell process has been running for more than 10 minutes, the script will stop the process and delete the lock file to allow future execution of the PowerShell script.

“Future executions of the PowerShell script will fully execute as the lock file will no longer exist on the system. This suggests the threat actors may have experienced issues with this Trojan running for extended periods in the past, likely related to the communication loops that we will discuss later.” continues the experts.

OilRig APT

The BONDUPDATER Trojan also includes a new TXT-based C2 communication option, the malware includes two different variations of the DNS tunneling protocol, one using DNS A records, and one using DNS TXT records to transmit data from the command & control to the trojan.

“As expected, OilRig is continuing their onslaught of attacks well into 2018 with continued targeting in the Middle East. Sometimes developing new tools, OilRig also often uses what has worked in the past, including developing variants of previously used tools and malware. This reduces development time and capitalizes on previous versions of the tool and its success.” concluded Palo Alto Networks.

If you are interested in the indicators of Compromise (IoCs), give a look at the analysis published by Palo Alto Networks.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – OilRig APT, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment