An Iranian threat group called OilRig typically targets businesses in the Middle East involved in various industries. Still, it has also sometimes attacked businesses outside of the Middle East. Additionally, it appears that OilRig engages in supply chain attacks, whereby the threat actor uses the trust among entities to attack its main targets.
Attacks attributed to this group often employ social engineering to target human weaknesses rather than software flaws, however on occasion, this group has leveraged recently patched vulnerabilities in the attack delivery phase.
OilRig has demonstrated maturity in other areas of its business, therefore the lack of software vulnerability exploitation does not automatically imply a lack of competence. These stages of development include:
- Organized evasion testing using the development of their tools.
- Data exfiltration and command and control (C2) using specialized DNS Tunneling protocols. -Ad-hoc web shells and backdoors for permanent server access.
For lateral movement, OilRig uses stolen account credentials.
Malicious programs used by APT34
- Twoface – A web shell, which is used to harvest credentials
- Powruner – A backdoor known to be used by APT34.
- RGDoor – An Internet Information Services backdoor that is created using C++.
- Helminth – A Trojan that is developed to target the Windows platform.
- OopsIE – A Trojan deployed and known to be used by APT34.
- Karkoff – A malware designed to execute code remotely on compromised hosts.
- ISMAgent – A backdoor that has a sophisticated architecture and contains anti-analysis techniques.
- Poison Frog – A backdoor used along with the BondUpdater tool.
- PhpSpy – A backdoor used for an initial foothold in the targeted network.
- Neptun – A backdoor installed on Microsoft Exchange servers as a service.
- Pickpocket – It is a browser credential-theft tool.
- ValueVault – It is used to extract and view the credentials stored in the Windows Vault.
- LongWatch – A Pickpocket variant, and browser credential-theft tool.
- Marlin – A backdoor used by APT34.
- Saitama – A backdoor used by APT34.
Supply Chain Attack on UAE
According to Kaspersky’s lead security researcher Maher Yamout, the attackers lured victims using a fake IT job application form. When the victim downloaded the infected document to supposedly apply for the offered IT job, information-stealing malware was launched. APT34 (also known as OilRig) developed a phishing website to pose as an IT firm in the UAE and submitted the recruitment form to a target IT company.
According to Yamout, the malware gathered private data and login credentials that gave APT34 access to the networks of the IT business clients. He goes on to say that the attacker then deliberately sought out government clients, leveraging the email system of the victim IT organization for command-and-control (C2) communication and data exfiltration. Due to its limited downstream visibility, Kaspersky was unable to confirm if the government attacks were effective, but according to Yamout, “we assess to medium-high confidence” that they were given the company’s usual success rate.
The malware samples used in the UAE campaign, according to Kaspersky’s investigation, were identical to those used in a prior APT34 supply chain breach in Jordan that employed comparable tactics, methods, and procedures (TTPs), including targeting governmental institutions. In another case, according to Yamout, he believed LinkedIn was being utilized to distribute a job form while pretending to be a hiring manager for an IT business.