Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Iran-Linked OilRig APT Caught Using New Backdoor

The Iran-linked hacking group OilRig was observed using a new backdoor in an attack against a government official within Jordan’s foreign ministry, according to new research published this week.

The Iran-linked hacking group OilRig was observed using a new backdoor in an attack against a government official within Jordan’s foreign ministry, according to new research published this week.

Active since at least 2014, OilRig is also tracked as APT34, Helix Kitten, and Cobalt Gypsy, and is believed linked to the objectives of the Iranian government. To date, the group was seen targeting entities in the chemical, energy, financial, governmental, and telecommunication industries.

At the end of April 2022, security researchers with Fortinet and Malwarebytes identified a malicious Excel document that the hacking group sent to the Jordanian diplomat, and which was designed to drop a new backdoor called Saitama.

The phishing email allegedly came from an employee withing the IT department, but in fact originated externally. The attack was identified after the recipient forwarded the message to the real IT employee, likely in an attempt to verify its authenticity.

[ READ: NSA’s Rob Joyce Explains ‘Sand and Friction’ Cybersecurity Strategy ]

The document contained a macro designed to drop the Saitama backdoor and set persistence for it. The macro also closes the initial Excel sheet and opens a new one that displays the Jordan government’s coat of the arms.

According to research notes shared by Fortinet, the macro leverages WMI (Windows Management Instrumentation) to ping its command and control (C&C) server, and has the ability to create three files: malicious PE file, a configuration file, and a legitimate DLL file.

Written in .NET, the Saitama backdoor uses DNS protocol to communicate with the C&C and exfiltrate data, a method stealthier than other communication techniques. Other methods of hiding the malicious packets within legitimate traffic are also used.

Malwarebytes also published a separate report on the backdoor, noting that the entire flow of the program is defined explicitly as a finite-state machine. In short, the machine will change its state depending on the command sent to every state.”

Identified states include an initial state where it accepts a start command; an alive state where it fetches the C&C server, waiting for commands; a sleep mode; a receive state where commands are accepted from the C&C servers; a ‘do’ state where commands are executed, and a send state where results from the execution of commands are sent to the attackers.

Given that some of the supported commands include internal IPs and internal domain names, Malwarebytes researchers believe the backdoor is highly targeted, and that the threat actor has some previous knowledge about the internal infrastructure of the victim.

Related: Iranian Hackers Target U.S. Research Organization in Ongoing Campaign

Related: Report: Iranian APT Hexane Targets Israeli Companies

Related: State TV Says Iran Foiled Cyberattacks on Public Services

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.