Iranian-based Hacker Group OilRig Keeps Cyber Drilling, Posing a Persistent Threat
In a previous post, we mentioned Advanced Persistent Threat attacks (APTs) that are waging ongoing sophisticated hacking attempts targeted e.g., certain countries or institutions. These kinds of attack are especially popular with rogue regimes such as North Korea and Iran. The latter uses those to bring cyberwarfare to a whole new level, with Iranian hacker group OilRig (also known as PT34 or Helix Kitten) launching multiple attacks between May and June 2018 amongst previous ones in past years. The targets were technology services providers and a government entity. There were three waves of APT attacks in total, all using a single spear-phishing email to let the recipients believe that it came from a legitimate Middle Eastern government agency.
The email contained a portable executable file (converted from .bat) that once downloaded inserted the QUADAGENT PowerShell backdoor. The dropper would run silently, would download the backdoor, create a scheduled task for persistency, and then execute the payload. The malware used rdppath[.]com as the hackers’ Command & Control Center connecting it via HTTPS, HTTP, and DNS tunneling.
The QUADAGENT Backdoor: A Tool of Destruction
In their third wave against the government entity, the hackers made a slight change. They used the Microsoft .NET Framework for conversion and installed a fake error box when the duped victim executed the malicious file. Once the malware was dropped and executed, the backdoor would connect to the hackers’ Command & Control Center at cpuproc[.]com. In all attacks, the malware was running silently in the background, avoiding detection by cybersecurity solutions.
It is important to note that all evidence points to OilRig being the author of the QUADAGENT PowerShell backdoor. This means that we will see many more attacks where this tool will be used by threat actors.
Leafminer: A New Player in Iran’s Cyber Arsenal
OilRig is not the only Iran-based hacker group wreaking havoc. Newcomer Leafminer seems to specialize in espionage and has attacked a long list of governments and companies in Saudi Arabia, Egypt, Israel and Pakistan. Archenemy Saudi Arabia was hit most, also targeting its healthcare facilities. In second place was Lebanon (including the country’s intelligence agency) followed by Israel and Kuwait.
Leafminer used watering hole attacks and phishing emails with malicious attachments. Those specific payloads were designed to exploit the EternalBlue vulnerability. Furthermore, it seems that Leafminer favors a “living-off-the land” approach, which consists of using tactics, techniques and procedures (TTP) that are publicly available or have already been tried and tested by other hackers/hacker groups. Although it seems that Leafminer concentrated its attacks on targets in the Middle East, it can be expected that the US and European countries (such as Germany and the UK) will become targets as well.
Europe in the Crosshairs: Iran’s Expanding Cyber Reach
In Europe, Germany has been a prime target for this kind of APT attacks. In its latest report, the German intelligence agency (Bundesamt für Verfassungsschutz or BfV) stated that the number of cyberattacks contributed to Iran has been on the rise since 2014, with a sharp increase in 2017. Interior Minister Horst Seehofer concluded that the BfV should not only identify and mitigate cyberattacks but also apply proactive measures.
Cymulate’s Breach & Attack Simulation (BAS) platform could be such a proactive measure, since it allows an agency or company to run real cyberattacks in their own production environment in a safe manner without harming their network in any way. This allows them to test their security posture and mitigate APT attacks before they can hit and penetrate the networks.