An Iran-linked group previously observed attacking organizations in Saudi Arabia has been improving its malware tools and expanding its target list to include other countries.
In May, Palo Alto Networks researchers reported seeing attacks launched by a threat actor against financial institutions and technology companies in Saudi Arabia. The same group also carried out attacks on the Saudi defense industry in the fall of 2015.
The campaign, dubbed by the security firm “OilRig,” has involved weaponized Microsoft Excel spreadsheets tracked as “Clayslide” and a backdoor dubbed “Helminth.” The attacks aimed at banks were also documented by FireEye in May.
Palo Alto Networks has been monitoring the group’s activities and discovered that it has also targeted a company in Qatar and government organizations in the United States, Israel and Turkey.
The threat actor behind OilRig uses spear-phishing emails and malicious macro-enabled Excel documents to deliver Helminth. In the case of a Turkish government organization, the Excel file was designed to mimic a login portal for an airline.
Four variants of the Helminth malware have been identified by experts, including one that uses FireEye’s name. The threat, capable of communicating with its command and control (C&C) server over both HTTP and DNS, can collect information about the infected device and download additional files from a remote server.
There are two types of Helminth: one that relies on VBScript and PowerShell scripts, and one that is distributed as an executable file. The executable version is delivered by a Trojan dubbed “HerHer” and it is also capable of logging keystrokes.
Researchers have found several clues that point to an Iran-based actor, although they admit that the data can be easily forged. This includes the use of the Persian language in the malware samples and information associated with the C&C domains.
Palo Alto Networks also discovered an IP address mentioned by Symantec last year in a report describing the activities of two Iran-based threat groups that appear to be linked.
Palo Alto Networks has analyzed the activities of several threat groups believed to be operating out of Iran, including one that relies on a piece of malware dubbed Infy. This summer, the security firm reported that it had managed to disrupt a cyberespionage campaign involving Infy.
Related: Iranian Actor “Group5” Targeting Syrian Opposition
Related: Researchers Hack Infrastructure of Iran-Linked Cyber Spies

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Critical TorchServe Flaws Could Expose AI Infrastructure of Major Companies
- Cybersecurity M&A Roundup: 28 Deals Announced in September 2023
- Companies Address Impact of Exploited Libwebp Vulnerability
- Number of Internet-Exposed ICS Drops Below 100,000: Report
- Unpatched Exim Vulnerabilities Expose Many Mail Servers to Attacks
- Recently Patched TeamCity Vulnerability Exploited to Hack Servers
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- NIST Publishes Final Version of 800-82r3 OT Security Guide
Latest News
- Synqly Joins Race to Fix Security, Infrastructure Product Integrations
- ZDI Discusses First Automotive Pwn2Own
- Critical TorchServe Flaws Could Expose AI Infrastructure of Major Companies
- US Executives Targeted in Phishing Attacks Exploiting Flaw in Indeed Job Platform
- Actor Tom Hanks Warns of Ad With AI Imposter
- Network, Meet Cloud; Cloud, Meet Network
- Dozens of Malicious NPM Packages Steal User, System Data
- Motel One Discloses Ransomware Attack Impacting Customer Data
