Iranian Hackers Use New Trojan in Recent Attacks

itman · Feb 23, 2018

Another Win system process abuse.

The cyberespionage group known as OilRig and previously linked to Iran has been observed using a new Trojan in recent attacks, Palo Alto Networks reports.

A highly active group mainly targeting organizations in the Middle East, OilRig was attempting to deliver a Trojan called OopsIE in two attacks targeting an insurance agency and a financial institution in the Middle East. While one of the attacks relied on a variant of the ThreeDollars delivery document, the other attempted to deliver the malware to the victim directly, likely via a link in a spear phishing email.

The ThreeDollars samples collected in the new attacks were similar to those analyzed in October 2017, using the same lure image (albeit a cropped and edited version) that tricks users into enabling macros. While executing a malicious macro in the background, the malicious document displays a decoy image to lower suspicion, although it is a fake error message.

The macro creates a scheduled task that executes after one minute to decode base64 encoded data using the Certutil application, and another task that executes after two minutes, running a VBScript to execute the OopsIE Trojan and clean up the installation.

Packed with SmartAssembly, the Trojan is obfuscated with ConfuserEx and achieves persistence by creating a VBScript file. It also creates a scheduled task to run itself every three minutes. The malware communicates with the C&C over HTTP, using the InternetExplorer application object.
Click to expand...

https://www.securityweek.com/iranian-hackers-use-new-trojan-recent-attacks

guest · Sep 4, 2018

A well-known hacking group is getting better at evading detection
September 4, 2018
https://www.cyberscoop.com/oopsie-oilrig-iran-evading-detection/

A well-known hacking group remains highly active with new incursions against Middle Eastern governments, according to a new report from U.S. cybersecurity firm Palo Alto Networks. Additionally, the group is employing evasion techniques meant to cut down on the risk of detection.

The new report focuses on OopsIE, a trojan first tracked earlier this year, being used in spear phishing attacks against a highly targeted a Middle Eastern government agency. The trojan is being used by OilRig, a group that has been linked to Iran.

The checks OopsIE runs include ones on vitals like system temperature and CPU fan status to see if the victim is running in a virtual machine or a real one. [...] but OopsIE’s evasion techniques like the CPU fan check are novel.

The malware will only run on computers configured on a small number of time zones [...] “The fact that the Trojan will not operate on systems that are not configured with these time zones suggests that this is a highly targeted attack focused on a specific subset of target nations,” the researchers wrote.
Click to expand...

guest · Sep 13, 2018

OilRig APT Continues Its Ongoing Malware Evolution
September 13, 2018
https://threatpost.com/oilrig-apt-continues-its-ongoing-malware-evolution/137444/

OilRig, an APT group believed to have ties to Iran, has been spotted in yet another campaign in the Middle East – this time targeting victims within an undisclosed government using an evolved variant of the BondUpdater trojan.

As in the case of the OopsIE-driven attacks, this latest campaign uses an iteration of a previously identified homegrown tool. Palo Alto’s Unit 42 has observed OilRig using spear-phishing emails to deliver an updated version of BondUpdater, a PowerShell-based trojan first used by the group in mid-November 2017.

“The BondUpdater trojan contains basic backdoor functionality, allowing threat actors to upload and download files, as well as the ability to execute commands,” Unit 42 researchers said in a breakdown of the campaign posted Thursday. “BondUpdater, like other OilRig tools, uses DNS tunneling to communicate with its C2 server…[but] it now includes the ability to use TXT records within its DNS tunneling protocol for its C2 communications.”
Click to expand...

EASTER · Sep 13, 2018

Just another example of state actors competing for top honors in who can pop the top better and much more stealthy in some cases.

Excluding Russia since they are sharp as a proverbial whistle in tweaking western tech, looks like DPRK + IRAN (Persia) + China are battling it out in back n forth technique. Thanks Windows- Whatta code structure

wat0114 · Sep 13, 2018

EASTER said: ↑

Thanks Windows- Whatta code structure
Click to expand...

when people are gullible enough to fall for obscure, poorly written emails with subject lines like: "important issue" in them, and gladly open the attachments, then that's hardly the fault of Windows code structure. PEBKAC

EASTER · Sep 13, 2018

wat0114 said: ↑

when people are gullible enough to fall for obscure, poorly written emails with subject lines like: "important issue" in them, and gladly open the attachments, then that's hardly the fault of Windows code structure. PEBKAC
Click to expand...

So very true indeed unfortunately. To that regard a rewritten code structure would never matter.

The nilly willy cavalier attitude of happily opening attachments-macros etc will bite the end recipient's machine every time.

Even a sandboxed containment for those business/end users might be a better alternative and yet looking at the raw numbers of submissions on only a single analysis site like Hybrid, show some are at least passing many thru a malware review grinder. Before or after the fact is whole other unknown though.

wat0114 · Sep 14, 2018

EASTER said: ↑

Even a sandboxed containment for those business/end users might be a better alternative and yet looking at the raw numbers of submissions on only a single analysis site like Hybrid, show some are at least passing many thru a malware review grinder. Before or after the fact is whole other unknown though.
Click to expand...

The organization I work for uses some sort of perimeter defenses for catching the majority of phishing/malicious emails, but a few do get through. Recently a colleague of mine opened one with a subject line of "check out this photo" ...LOL and unfortunately he fell for it, just because the sender was from someone he knew. Within mere minutes of opening the attachment he received a phone call from the head of the IT department telling him to shut down the laptop immediately and bring it in for analysis.
He brought in to one of the company's security experts and after thoroughly analyzing it, he said no damage was done. I don't know what the attachment was or what its intended infection vector was, but the fact that employee's devices are so thoroughly "locked down" with limited user rights was instrumental in the malicious attachment being stopped dead in its mission to infect. Obviously the organization also has a built-in feature that alerts the IT department to any attempted malicious activities on their devices.

EASTER · Sep 14, 2018

wat0114 said: ↑

The organization I work for uses some sort of perimeter defenses for catching the majority of phishing/malicious emails, but a few do get through. Recently a colleague of mine opened one with a subject line of "check out this photo" ...LOL and unfortunately he fell for it, just because the sender was from someone he knew. Within mere minutes of opening the attachment he received a phone call from the head of the IT department telling him to shut down the laptop immediately and bring it in for analysis.
He brought in to one of the company's security experts and after thoroughly analyzing it, he said no damage was done. I don't know what the attachment was or what its intended infection vector was, but the fact that employee's devices are so thoroughly "locked down" with limited user rights was instrumental in the malicious attachment being stopped dead in its mission to infect. Obviously the organization also has a built-in feature that alerts the IT department to any attempted malicious activities on their devices.
Click to expand...

Good job for that business entity (and others) that employs perimeter defense of some sort as you so well aptly point out.

That alert provision is a superb forethought and obviously absolutely practical in this day and age where even the slightest miscue/even accident can open a channel for malicious code to fly through the veins of the end user system in a nanosecond of time.

guest · Jul 19, 2019

Iranian Hackers Use New Malware in Recent Attacks
July 19, 2019
https://www.securityweek.com/iranian-hackers-use-new-malware-recent-attacks

The Iran-linked cyber-espionage group OilRig has started using three new malware families in campaigns observed over the past month, FireEye reports.

The newly identified campaign is characterized by the use of both new malware and additional infrastructure, including the abuse of LinkedIn to deliver malicious documents. As part of the attacks, the actor pose as a member of Cambridge University to gain victims’ trust to open malicious documents.
As part of this newly observed activity, which mainly targeted energy and utilities, government, and oil and gas industries, APT34 deployed not only PowerShell-developed malware, but also Golang-based tools. The actor also was used the PICKPOCKET malware once again.

The first of the newly deployed malware is named TONEDEAF, a backdoor that communicates with a command and control (C&C) server using HTTP GET and POST requests. [...]
Click to expand...

LONGWATCH, which was found on the C&C under the name of WinNTProgram.exe, is a keylogger that saves all keystrokes to a log.txt file in the Window’s temp folder.
VALUEVAULT, which was identified as b.exe, is a Golang compiled version of the "Windows Vault Password Dumper" browser credential theft tool from Massimiliano Montoro.
PICKPOCKET, which was found on the server in both 64- and 32-bit variants, is a credential theft tool designed to dump the user's website login credentials from Chrome, Firefox, and Internet Explorer.
Click to expand...

FireEye: Hard Pass: Declining APT34’s Invite to Join Their Professional Network

guest · Dec 18, 2019

Poison Frog Malware Samples Reveal OilRig’s Sloppiness
December 17, 2019
https://www.tripwire.com/state-of-s...og-malware-samples-reveal-oilrigs-sloppiness/

An analysis of a new backdoor called “Poison Frog” revealed that the OilRig threat group was sloppy in its development of the malware.
Kaspersky Lab came across Poison Frog while scanning its archives using its YARA rule to hunt for new and old malware samples employed by OilRig.

OilRig sought to avoid alerting a user to the presence of Poison Frog by disguising their malware as the legitimate Cisco AnyConnect application. This fake app displayed an error message whenever a user clicked on its “Connect” buttonp. The threat group employed this technique to mislead the user into thinking that something was wrong with their web connection or the app itself. Meanwhile, Poison Frog secretly installed itself on the user’s machine.
That being said, OilRig made several mistakes in developing Poison Frog. Kaspersky Lab found one sample that didn’t execute because it used a command for “Poweeershell.exe” instead of “Powershell.exe,” for instance, while others still had the PDB path inside their binary.
Click to expand...

Kaspersky: OilRig’s Poison Frog – old samples, same trick

guest · Jan 31, 2020

mood said: ↑

Iranian Hackers Use New Malware in Recent Attacks
July 19, 2019
Click to expand...

Iran-linked APT34 group is targeting US federal workers
January 31, 2020
https://securityaffairs.co/wordpress/97067/apt/apt34-westat-survey.html

Security experts from Intezer observed targeted attacks on a US-based research company that provides services to businesses and government organizations.

“Our researchers Paul Litvak and Michael Kajilolti have discovered a new campaign conducted by APT34 employing an updated toolset. Based on uncovered phishing documents, we believe this Iranian actor is targeting Westat employees, or United States organizations hiring Westat services.” reads the analysis published by Intezer.
The experts believe that the attacker was launched by the cyber-espionage group APT34 (aka OilRig or Helix Kitten)

The recent campaign appears similar to the one observed by FireEye in July 2019 when hackers were posing as a researcher from Cambridge to infect victims with three new malware.
Both malware used in this campaign (tracked as TONEDEAF 2.0 and VALUEVAULT 2.0) were also employed in the campaign observed in July 2019, but they include major updates that changes were developed for this specific attack.

“The technical analysis of the new malware variants shows the group has been investing substantial effort in upgrading their tools in an attempt to stay undetected after being exposed, and it seems that effort is generally off,” concludes Intezer.
Click to expand...

Intezer: New Iranian Campaign Tailored to US Companies Utilizes an Updated Toolset

Log in or Sign up

Iranian Hackers Use New Trojan in Recent Attacks

itman Registered Member

guest Guest

guest Guest

EASTER Registered Member

wat0114 Registered Member

EASTER Registered Member

wat0114 Registered Member

EASTER Registered Member

guest Guest

guest Guest

guest Guest

Log in or Sign up

Iranian Hackers Use New Trojan in Recent Attacks

itman Registered Member

guest Guest

guest Guest

EASTER Registered Member

wat0114 Registered Member

EASTER Registered Member

wat0114 Registered Member

EASTER Registered Member

guest Guest

guest Guest

guest Guest

Useful Searches