Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    What's Hot

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Facebook Twitter Instagram
    • Privacy Policy
    • Contact Us
    Facebook Twitter Instagram Pinterest Vimeo
    AI Home SecurityAI Home Security
    • Home
    • Home Security
    • Cyber Security
    • Biometric Technology
    Contact
    AI Home SecurityAI Home Security
    Home»Cyber Security»Iranian Nation-State Actor OilRig Targets Israeli Organizations
    Cyber Security

    Iranian Nation-State Actor OilRig Targets Israeli Organizations

    justmattgBy justmattgSeptember 24, 2023No Comments4 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email

    [ad_1]

    Sep 22, 2023THNCyber Attack / Malware

    Iranian Nation-State

    Israeli organizations were targeted as part of two different campaigns orchestrated by the Iranian nation-state actor known as OilRig in 2021 and 2022.

    The campaigns, dubbed Outer Space and Juicy Mix, entailed the use of two previously documented first-stage backdoors called Solar and Mango, which were deployed to collect sensitive information from major browsers and the Windows Credential Manager.

    “Both backdoors were deployed by VBS droppers, presumably spread via spear-phishing emails,” ESET security researcher Zuzana Hromcová said in a Thursday analysis.

    OilRig (aka APT34, Cobalt Gypsy, Hazel Sandstorm, and Helix Kitten) is the name assigned to an intrusion set affiliated with Iran’s Ministry of Intelligence and Security (MOIS). Active since 2014, the threat actor has used a wide range of tools at its disposal to carry out information theft.

    Cybersecurity

    Earlier this February, Trend Micro discovered OilRig’s use of a simple backdoor to steal users’ credentials, highlighting its “flexibility to write new malware based on researched customer environments and levels of access.”

    The group has also been observed delivering an updated version of SideTwist as part of a phishing attack likely targeting U.S. businesses.

    That said, the use of Mango malware was previously highlighted by both ESET and Microsoft in May 2023, with the latter attributing it to an emerging activity cluster it tracks under the name Storm-0133.

    Storm-0133, also associated with MOIS, exclusively targets Israeli local government agencies and companies serving the defense, lodging, and healthcare sectors, the Windows maker said.

    The latest findings from the Slovak cybersecurity firm establish the group’s continued focus on Israel, using spear-phishing lures to trick potential targets into installing the malware via booby-trapped attachments.

    In the Outer Space campaign observed in 2021, OilRig compromised an Israeli human resources site and subsequently used it as a command-and-control (C2) server for Solar, a basic C#/.NET backdoor capable of downloading and executing files and gathering information.

    Solar also acts as a vehicle to deploy a downloader named SampleCheck5000 (or SC5k), which uses the Office Exchange Web Services (EWS) API to download additional tools for execution, as well as a utility to exfiltrate data from the Chrome web browser referred to as MKG.

    “Once SC5k logs into the remote Exchange server, it retrieves all the emails in the Drafts directory, sorts them by most recent, keeping only the drafts that have attachments,” Hromcová said.

    UPCOMING WEBINAR

    AI vs. AI: Harnessing AI Defenses Against AI-Powered Risks

    Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.

    Supercharge Your Skills

    “It then iterates over every draft message with an attachment, looking for JSON attachments that contain “data” in the body. It extracts the value from the key data in the JSON file, base64 decodes and decrypts the value, and calls cmd.exe to execute the resulting command line string.”

    The results of the command execution are staged and sent back to the operators via a new email message on the Exchange server and saving it as a draft.

    The Juicy Mix campaign of 2022 involved the use of Mango, an improved version of Solar incorporating additional capabilities and obfuscation methods. For C2 purposes, the threat actor compromised a legitimate Israeli job portal website.

    “OilRig continues to innovate and create new implants with backdoor-like capabilities while finding new ways to execute commands on remote systems,” Hromcová said.

    “The group deploys a set of custom post-compromise tools that are used to collect credentials, cookies, and browsing history from major browsers and from the Windows Credential Manager.”

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.



    [ad_2]

    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleAkira Ransomware Mutates to Target Linux Systems, Adds TTPs
    Next Article NFL, CISA Look to Intercept Cyber Threats to Super Bowl LVIII
    justmattg
    • Website

    Related Posts

    Cyber Security

    Name That Toon: Last Line of Defense

    April 16, 2024
    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024
    Cyber Security

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Add A Comment

    Leave A Reply Cancel Reply

    Demo
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Don't Miss
    Cyber Security

    Name That Toon: Last Line of Defense

    justmattgApril 16, 2024

    [ad_1] The enemies are always getting closer, using the same advanced technologies as security pros…

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024

    Muddled Libra Shifts Focus to SaaS and Cloud for Extortion and Data Theft Attacks

    April 16, 2024

    Subscribe to Updates

    Get the latest creative news from SmartMag about art & design.

    [mc4wp_form id=3515]
    Demo
    Top Posts

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Latest Reviews
    Cyber Security

    Name That Toon: Last Line of Defense

    justmattgApril 16, 2024

    [ad_1] The enemies are always getting closer, using the same advanced technologies as security pros…

    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    justmattgApril 16, 2024

    [ad_1] Apr 16, 2024NewsroomSupply Chain / Software Security Security researchers have uncovered a “credible” takeover…

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    Demo
    MOST POPULAR

    Name That Toon: Last Line of Defense

    April 16, 2024

    California mountain lion P-22 left mark on wildlife conservation

    January 1, 2023

    Congress Again Writes To Home Minister Amit Shah Over Rahul Gandhi’s Security

    January 1, 2023
    OUR PICKS

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    Facebook Twitter Instagram Pinterest
    • Privacy Policy
    • Contact Us
    AI Home Security © 2025 All rights reserved | Designed By ESmartsSolution

    Type above and press Enter to search. Press Esc to cancel.

    ↑