OilRig Keeps On Cyber Drilling

Iranian-based Hacker Group OilRig Keeps Cyber Drilling, Posing a Persistent Threat

OilRig, also known as PT34 or Helix Kitten, is a well-known Iranian Advanced Persistent Threat (APT) group linked to multiple cyber operations targeting technology service providers and government entities. Between May and June 2018, the group launched a three-wave campaign using spear-phishing emails crafted to appear as legitimate communications from a Middle Eastern government agency.

These emails contained a portable executable file (converted from .bat), which, when downloaded, deployed the QUADAGENT PowerShell backdoor. The dropper executed silently, downloaded the backdoor, established persistence through a scheduled task, and triggered the final payload. Communication with the attackers’ Command & Control server occurred via rdppath[.]com, utilizing HTTPS, HTTP, and DNS tunneling.

OilRig’s campaigns demonstrate the strategic use of social engineering, stealthy malware deployment, and multi-protocol communication methods—highlighting the persistent threat posed by state-sponsored cyber actors.

The QUADAGENT Backdoor: A Tool of Destruction

In their third wave against the government entity, the hackers made a slight change. They used the Microsoft .NET Framework for conversion and installed a fake error box when the duped victim executed the malicious file. Once the malware was dropped and executed, the backdoor would connect to the hackers’ Command & Control Center at cpuproc[.]com. In all attacks, the malware was running silently in the background, avoiding detection by cybersecurity solutions.

It is important to note that all evidence points to OilRig being the author of the QUADAGENT PowerShell backdoor. This means that we will see many more attacks where this tool will be used by threat actors.

Leafminer: A New Player in Iran’s Cyber Arsenal

OilRig is not the only Iran-based hacker group wreaking havoc. Newcomer Leafminer seems to specialize in espionage and has attacked a long list of governments and companies in Saudi Arabia, Egypt, Israel and Pakistan. Archenemy Saudi Arabia was hit most, also targeting its healthcare facilities. In second place was Lebanon (including the country’s intelligence agency) followed by Israel and Kuwait.

Leafminer used watering hole attacks and phishing emails with malicious attachments. Those specific payloads were designed to exploit the EternalBlue vulnerability. Furthermore, it seems that Leafminer favors a "living-off-the land" approach, which consists of using tactics, techniques and procedures (TTP) that are publicly available or have already been tried and tested by other hackers/hacker groups. Although it seems that Leafminer concentrated its attacks on targets in the Middle East, it can be expected that the US and European countries (such as Germany and the UK) will become targets as well.

Europe in the Crosshairs: Iran's Expanding Cyber Reach

In Europe, Germany has been a prime target for this kind of APT attacks. In its latest report, the German intelligence agency (Bundesamt für Verfassungsschutz or BfV) stated that the number of cyberattacks contributed to Iran has been on the rise since 2014, with a sharp increase in 2017. Interior Minister Horst Seehofer concluded that the BfV should not only identify and mitigate cyberattacks but also apply proactive measures.

Cymulate’s Breach & Attack Simulation (BAS) platform could be such a proactive measure, since it allows an agency or company to run real cyberattacks in their own production environment in a safe manner without harming their network in any way. This allows them to test their security posture and mitigate APT attacks before they can hit and penetrate the networks.