Iranian hackers use new backdoor to spy on Middle Eastern governments
Cybercriminals use unknown malware that uses government mail to collect data.
Cybersecurity researchers from an information security company Trend Micro declare that Iranian apt group OilRig (APT34, Cobalt Gypsy, Europium, and Helix Kitten) continues to attack government organizations in the Middle East as part of a cyber-espionage campaign that uses a new backdoor to steal data.
The campaign uses legitimate but compromised email accounts to send stolen data to external email accounts controlled by attackers.
OilRig attack chain
To send the data, a .NET based backdoor is used, which is tasked with delivering 4 different files, including the main implant (“DevicesSrv.exe”) exfiltrating certain files.
The second step uses the file DLL-library that collects the credentials of domain users and local profiles.
The most notable aspect of the backdoor is its exfiltration procedure, which involves using stolen credentials to send emails to attacker-controlled Gmail and Proton Mail email addresses. The hackers send these emails through the government’s Exchange servers using compromised legitimate accounts.
Experts associated this campaign with APT34 due to the similarity between the droppers of the first stage and the backdoor Saitama groups victimology and the use of Internet-facing exchange servers as a method of communication, as seen in the case Karkoff malware .
Despite the simplicity of the procedure, the novelty of the second and final phase also indicates that the entire procedure may be just a small part of a larger campaign aimed at governments, the researchers said.