The Iran-linked cyberespionage group OilRig has been observed intensifying cyber operations against government entities in the Gulf region, cybersecurity firm Trend Micro reports.
Also tracked as APT34, Cobalt Gypsy, Earth Simnavaz, and Helix Kitten, the advanced persistent threat (APT) actor has been active since at least 2014, targeting entities in the energy, and other critical infrastructure sectors, and pursuing objectives aligned with those of the Iranian government.
“In recent months, there has been a notable rise in cyberattacks attributed to this APT group specifically targeting government sectors in the United Arab Emirates (UAE) and the broader Gulf region,” Trend Micro says.
As part of the newly observed operations, the APT has been deploying a sophisticated new backdoor for the exfiltration of credentials through on-premises Microsoft Exchange servers.
Additionally, OilRig was seen abusing the dropped password filter policy to extract clean-text passwords, leveraging the Ngrok remote monitoring and management (RMM) tool to tunnel traffic and maintain persistence, and exploiting CVE-2024-30088, a Windows kernel elevation of privilege bug.
Microsoft patched CVE-2024-30088 in June and this appears to be the first report describing exploitation of the flaw. The tech giant’s advisory does not mention in-the-wild exploitation at the time of writing, but it does indicate that ‘exploitation is more likely’.
“The initial point of entry for these attacks has been traced back to a web shell uploaded to a vulnerable web server. This web shell not only allows the execution of PowerShell code but also enables attackers to download and upload files from and to the server,” Trend Micro explains.
After gaining access to the network, the APT deployed Ngrok and leveraged it for lateral movement, eventually compromising the Domain Controller, and exploited CVE-2024-30088 to elevate privileges. It also registered a password filter DLL and deployed the backdoor for credential harvesting.
The threat actor was also seen using compromised domain credentials to access the Exchange Server and exfiltrate data, the cybersecurity firm says.
“The key objective of this stage is to capture the stolen passwords and transmit them to the attackers as email attachments. Additionally, we observed that the threat actors leverage legitimate accounts with stolen passwords to route these emails through government Exchange Servers,” Trend Micro explains.
The backdoor deployed in these attacks, which shows similarities with other malware employed by the APT, would retrieve usernames and passwords from a specific file, retrieve configuration data from the Exchange mail server, and send emails to a specified target address.
“Earth Simnavaz has been known to leverage compromised organizations to conduct supply chain attacks on other government entities. We expected that the threat actor could use the stolen accounts to initiate new attacks through phishing against additional targets,” Trend Micro notes.
Related: US Agencies Warn Political Campaigns of Iranian Phishing Attacks
Related: Former British Cyberespionage Agency Employee Gets Life in Prison for Stabbing an American Spy
Related: MI6 Spy Chief Says China, Russia, Iran Top UK Threat List
Related: Iran Says Fuel System Running Again After Cyber Attack