OilRig: A Persistent Threat in the Middle East

A nation-state hacking group known as OilRig, which has ties to Iran's Ministry of Intelligence and Security (MOIS), has been observed to continue its cyber espionage campaign against Middle Eastern government organizations. The group, also known as APT34, Cobalt Gypsy, Europium, and Helix Kitten, has a long history of targeted phishing assaults in the region since 2014.

According to Trend Micro researchers Mohamed Fahmy, Sherif Magdy, and Mahmoud Zohdy, OilRig employs a novel backdoor to exfiltrate data from hacked email accounts. This campaign is conducted by exploiting legal but hacked email accounts to deliver stolen data to external mail accounts controlled by the attackers.

The latest activity from OilRig involves a . NET-based dropper delivering four separate files, including a main implant that is responsible for exfiltrating specific data of interest. In the second stage, a dynamic-link library (DLL) file is used to harvest credentials from domain users and local accounts.

The exfiltration procedure of the .NET backdoor is the most prominent aspect of this campaign, as it leverages stolen credentials to send electronic messages to actor-controlled Gmail and Proton Mail addresses. The threat actors relay these emails over government Exchange Servers using valid accounts with stolen credentials.

The ties between OilRig and APT34 can be seen in the similarities of the first-stage dropper and Saitama, victimology patterns, and the use of internet-facing exchange servers as a communication channel. The expanding number of harmful tools linked with OilRig highlights the threat actor's "flexibility" in developing new malware based on targeted settings and rights obtained during the campaign.

The researchers note that despite the routine's simplicity, the uniqueness of the second and final stages indicates that this entire routine could be just a minor element of a larger effort targeting governments.

Thank you for reading our blog today. We hope you found the information helpful and informative. If you enjoyed this blog, be sure to follow us on Twitter, Instagram, Linkedin, GitHub, Website, and Youtube for more interesting content and updates. If you have any questions or comments, please feel free to reach out to us. We would love to hear from you. Don't forget to share this with your friends and family who may also find this information useful. Thank you for your support and stay tuned for more!