Iranian state-sponsored hacking group OilRig has been evolving its methods to bypass security protections. The group has recently added a new backdoor to its arsenal to support its long-running espionage campaign against government organizations in the Middle East.
How the malware works
The attack infection starts with a .NET-based dropper that is tasked with delivering four different files, each of which was placed in a Base64 buffer inside the main dropper, dubbed REDCAP. - The malware is capable of new exfiltration techniques - the abuse of compromised mailbox accounts to exfiltrate stolen data from the internal mailboxes to external Gmail and Proton Mail accounts controlled by the attackers.
- In some cases, threat actors sent emails via government Exchange Servers using valid accounts with stolen passwords.
Inside the initial backdoor
- The initial dropper called MrPerfectInstaller delivers four files: a password filter DLL (psgfilter[.]dll) and the main implant responsible for exfiltrating specific files of interest (DevicesSrv[.]exe).
- The file Microsoft.Exchange.WebServices[.]dll is the second stage DLL file, capable of harvesting credentials from domain users and local accounts.
- The app configuration file (DevicesSrv[.]exe.config) is responsible for the runtimes of the .NET execution environment.
Targeted countries
Trend Micro researchers discovered that the campaign has primarily targeted countries in the Middle East including the UAE, China, Jordan, Saudi Arabia, Qatar, Oman, Kuwait, Bahrain, Lebanon, and Egypt.
OilRig’s overview
- OilRig, aka APT34, has been active since at least 2014 and is known to use a diverse toolset in its operations.
- During 2020, 2021, and 2022, the group employed backdoors such as Karkoff, Shark, Marlin, and Saitama for information theft.
Conclusion
OilRig’s diverse tool range highlights its flexibility and continual efforts in the development and evolution of its TTPs. With the enforcement of new data exfiltration techniques, the group is now capable of bypassing any security policies enforced on the network perimeters. Thus, users and organizations are recommended to reinforce their current security measures and to be vigilant of the possible vectors abused for compromise.