Security Experts:

Connect with us

Hi, what are you looking for?



Iran-Linked Attackers Target Government Organizations

An Iran-linked group previously observed attacking organizations in Saudi Arabia has been improving its malware tools and expanding its target list to include other countries.

An Iran-linked group previously observed attacking organizations in Saudi Arabia has been improving its malware tools and expanding its target list to include other countries.

In May, Palo Alto Networks researchers reported seeing attacks launched by a threat actor against financial institutions and technology companies in Saudi Arabia. The same group also carried out attacks on the Saudi defense industry in the fall of 2015.

The campaign, dubbed by the security firm “OilRig,” has involved weaponized Microsoft Excel spreadsheets tracked as “Clayslide” and a backdoor dubbed “Helminth.” The attacks aimed at banks were also documented by FireEye in May.

Palo Alto Networks has been monitoring the group’s activities and discovered that it has also targeted a company in Qatar and government organizations in the United States, Israel and Turkey.

The threat actor behind OilRig uses spear-phishing emails and malicious macro-enabled Excel documents to deliver Helminth. In the case of a Turkish government organization, the Excel file was designed to mimic a login portal for an airline.

Four variants of the Helminth malware have been identified by experts, including one that uses FireEye’s name. The threat, capable of communicating with its command and control (C&C) server over both HTTP and DNS, can collect information about the infected device and download additional files from a remote server.

There are two types of Helminth: one that relies on VBScript and PowerShell scripts, and one that is distributed as an executable file. The executable version is delivered by a Trojan dubbed “HerHer” and it is also capable of logging keystrokes.

Researchers have found several clues that point to an Iran-based actor, although they admit that the data can be easily forged. This includes the use of the Persian language in the malware samples and information associated with the C&C domains.

Palo Alto Networks also discovered an IP address mentioned by Symantec last year in a report describing the activities of two Iran-based threat groups that appear to be linked.

Palo Alto Networks has analyzed the activities of several threat groups believed to be operating out of Iran, including one that relies on a piece of malware dubbed Infy. This summer, the security firm reported that it had managed to disrupt a cyberespionage campaign involving Infy.

Related: Iranian Actor “Group5” Targeting Syrian Opposition

Related: Researchers Hack Infrastructure of Iran-Linked Cyber Spies

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


A Pro-Russian cybercrime group named NoName057(16) is actively launching distributed denial-of-service (DDoS) attacks against organizations in Ukraine and NATO countries.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.


Cybersecurity firm Group-IB is raising the alarm on a newly identified advanced persistent threat (APT) actor targeting government and military organizations in Asia and...


Google Project Zero has disclosed the details of three Samsung phone vulnerabilities that have been exploited by a spyware vendor since when they still...