An Iran-linked group previously observed attacking organizations in Saudi Arabia has been improving its malware tools and expanding its target list to include other countries.
In May, Palo Alto Networks researchers reported seeing attacks launched by a threat actor against financial institutions and technology companies in Saudi Arabia. The same group also carried out attacks on the Saudi defense industry in the fall of 2015.
The campaign, dubbed by the security firm “OilRig,” has involved weaponized Microsoft Excel spreadsheets tracked as “Clayslide” and a backdoor dubbed “Helminth.” The attacks aimed at banks were also documented by FireEye in May.
Palo Alto Networks has been monitoring the group’s activities and discovered that it has also targeted a company in Qatar and government organizations in the United States, Israel and Turkey.
The threat actor behind OilRig uses spear-phishing emails and malicious macro-enabled Excel documents to deliver Helminth. In the case of a Turkish government organization, the Excel file was designed to mimic a login portal for an airline.
Four variants of the Helminth malware have been identified by experts, including one that uses FireEye’s name. The threat, capable of communicating with its command and control (C&C) server over both HTTP and DNS, can collect information about the infected device and download additional files from a remote server.
There are two types of Helminth: one that relies on VBScript and PowerShell scripts, and one that is distributed as an executable file. The executable version is delivered by a Trojan dubbed “HerHer” and it is also capable of logging keystrokes.
Researchers have found several clues that point to an Iran-based actor, although they admit that the data can be easily forged. This includes the use of the Persian language in the malware samples and information associated with the C&C domains.
Palo Alto Networks also discovered an IP address mentioned by Symantec last year in a report describing the activities of two Iran-based threat groups that appear to be linked.
Palo Alto Networks has analyzed the activities of several threat groups believed to be operating out of Iran, including one that relies on a piece of malware dubbed Infy. This summer, the security firm reported that it had managed to disrupt a cyberespionage campaign involving Infy.