Facebook Twitter Instagram
    • Privacy Policy
    • Contact Us
    Facebook Twitter Instagram Pinterest Vimeo
    AI Home SecurityAI Home Security
    • Home
    • Home Security
    • Cyber Security
    • Biometric Technology
    Contact
    AI Home SecurityAI Home Security
    Cyber Security

    Iranian OilRig Hackers Using New Backdoor to Exfiltrate Data from Govt. Organizations

    justmattgBy justmattgFebruary 6, 2023No Comments3 Mins Read

    [ad_1]

    Feb 03, 2023Ravie LakshmananCyber Espionage / Cyber Threat

    Exfiltrate Data

    The Iranian nation-state hacking group known as OilRig has continued to target government organizations in the Middle East as part of a cyber espionage campaign that leverages a new backdoor to exfiltrate data.

    “The campaign abuses legitimate but compromised email accounts to send stolen data to external mail accounts controlled by the attackers,” Trend Micro researchers Mohamed Fahmy, Sherif Magdy, and Mahmoud Zohdy said.

    While the technique in itself is not unheard of, the development marks the first time OilRig has adopted it in its playbook, indicating the continued evolution of its methods to bypass security protections.

    The advanced persistent threat (APT) group, also referred to as APT34, Cobalt Gypsy, Europium, and Helix Kitten, has been documented for its targeted phishing attacks in the Middle East since at least 2014.

    Linked to Iran’s Ministry of Intelligence and Security (MOIS), the group is known to use a diverse toolset in its operations, with recent attacks in 2021 and 2022 employing backdoors such as Karkoff, Shark, Marlin, and Saitama for information theft.

    The starting point of the latest activity is a .NET-based dropper that’s tasked with delivering four different files, including the main implant (“DevicesSrv.exe”) responsible for exfiltrating specific files of interest.

    Also put to use in the second stage is a dynamic-link library (DLL) file that’s capable of harvesting credentials from domain users and local accounts.

    The most notable aspect of the .NET backdoor is its exfiltration routine, which involves using the stolen credentials to send electronic missives to actor-controlled email Gmail and Proton Mail addresses.

    “The threat actors relay these emails via government Exchange Servers using vaild accounts with stolen passwords,” the researchers said.

    The campaign’s connections to APT34 stems from similarities in between the first-stage dropper and Saitama, the victimology patterns, and the use of internet-facing exchange servers as a communication method, as observed in the case of Karkoff.

    If anything, the growing number of malicious tools associated with OilRig indicates the threat actor’s “flexibility” to come up with new malware based on the targeted environments and the privileges possessed at a given stage of the attack.

    “Despite the routine’s simplicity, the novelty of the second and last stages also indicate that this entire routine can just be a small part of a bigger campaign targeting governments,” the researchers said.

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.



    [ad_2]

    Source link

    Previous ArticleApplication of biometric face identification technologies in financial institutions
    Next Article Rising ‘Firebrick Ostrich’ BEC Group Launches Industrial-Scale Cyberattacks
    justmattg
    • Website

    Related Posts

    Cyber Security

    Name That Toon: Last Line of Defense

    April 16, 2024
    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024
    Cyber Security

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Add A Comment

    Leave A Reply Cancel Reply

    Facebook Twitter Instagram Pinterest
    • Privacy Policy
    • Contact Us
    AI Home Security © 2025 All rights reserved | Designed By ESmartsSolution

    Type above and press Enter to search. Press Esc to cancel.

    ↑