Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Iran-Linked OilRig APT Caught Using New Backdoor

The Iran-linked hacking group OilRig was observed using a new backdoor in an attack against a government official within Jordan’s foreign ministry, according to new research published this week.

The Iran-linked hacking group OilRig was observed using a new backdoor in an attack against a government official within Jordan’s foreign ministry, according to new research published this week.

Active since at least 2014, OilRig is also tracked as APT34, Helix Kitten, and Cobalt Gypsy, and is believed linked to the objectives of the Iranian government. To date, the group was seen targeting entities in the chemical, energy, financial, governmental, and telecommunication industries.

At the end of April 2022, security researchers with Fortinet and Malwarebytes identified a malicious Excel document that the hacking group sent to the Jordanian diplomat, and which was designed to drop a new backdoor called Saitama.

The phishing email allegedly came from an employee withing the IT department, but in fact originated externally. The attack was identified after the recipient forwarded the message to the real IT employee, likely in an attempt to verify its authenticity.

[ READ: NSA’s Rob Joyce Explains ‘Sand and Friction’ Cybersecurity Strategy ]

The document contained a macro designed to drop the Saitama backdoor and set persistence for it. The macro also closes the initial Excel sheet and opens a new one that displays the Jordan government’s coat of the arms.

According to research notes shared by Fortinet, the macro leverages WMI (Windows Management Instrumentation) to ping its command and control (C&C) server, and has the ability to create three files: malicious PE file, a configuration file, and a legitimate DLL file.

Written in .NET, the Saitama backdoor uses DNS protocol to communicate with the C&C and exfiltrate data, a method stealthier than other communication techniques. Other methods of hiding the malicious packets within legitimate traffic are also used.

Advertisement. Scroll to continue reading.

Malwarebytes also published a separate report on the backdoor, noting that the entire flow of the program is defined explicitly as a finite-state machine. In short, the machine will change its state depending on the command sent to every state.”

Identified states include an initial state where it accepts a start command; an alive state where it fetches the C&C server, waiting for commands; a sleep mode; a receive state where commands are accepted from the C&C servers; a ‘do’ state where commands are executed, and a send state where results from the execution of commands are sent to the attackers.

Given that some of the supported commands include internal IPs and internal domain names, Malwarebytes researchers believe the backdoor is highly targeted, and that the threat actor has some previous knowledge about the internal infrastructure of the victim.

Related: Iranian Hackers Target U.S. Research Organization in Ongoing Campaign

Related: Report: Iranian APT Hexane Targets Israeli Companies

Related: State TV Says Iran Foiled Cyberattacks on Public Services

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.