Security Experts:

Iranian Cyberspies Use New Trojan in Middle East Attacks

A cyberespionage group previously linked to Iran has been using a new Trojan in attacks aimed at entities in the Middle East, Palo Alto Networks reported on Monday.

The threat actor, known as OilRig, was recently spotted launching attacks against an organization within the government of the United Arab Emirates (UAE).

When it first discovered the group’s activities back in May 2016, Palo Alto Networks believed the attacks had been carried out by a known group, but researchers later determined that the campaign was actually the work of a new actor, which is now tracked as OilRig.

OilRig has been known to use a remote access trojan (RAT) named ISMDoor, which researchers also identified in attacks launched by another Iran-linked cyberspy group known as Greenbug.OilRig hackers use new Trojan

In attacks seen by Palo Alto Networks in July 2017, OilRig had started using a new piece of malware dubbed “ISMAgent,” which appeared to be a variant of the ISMDoor RAT. In even more recent attacks, observed by experts in August 2017, a new injector Trojan was used by the attackers.

The new malware, tracked as “ISMInjector,” is a tool that has a sophisticated architecture and it includes anti-analysis techniques that were not previously leveraged by this group.

“The complex structure and inclusion of new anti-analysis techniques may suggest that this group is increasing their development efforts in order to evade detection and gain higher efficacy in their attacks,” Palo Alto Networks researchers said in a blog post.

In the attack aimed at the UAE government, hackers delivered their malware using malicious documents attached to emails with the subject line “Important Issue.” What made the emails interesting was the fact that they came from the targeted organization’s own domain. While experts initially believed that the attackers had spoofed the sender, they later determined that they actually used a compromised Outlook Web Access (OWA) account whose credentials they obtained in a previous phishing attack.

The malicious documents sent to the UAE government, tracked by Palo Alto as “ThreeDollars,” delivered the new ISMInjector Trojan, which in turn dropped a variant of the ISMAgent backdoor by injecting it into a remote process it created.

In order to make analysis of ISMInjector more difficult, the malware’s developers have relied on what researchers call “state machines” to create a new process and inject the payload into that process. Each state is responsible for conducting a particular action and it specifies the next state that should be executed.

Since the states are not executed in sequential order, researchers analyzing the malware have to jump around in the code to determine how it works, which makes it more challenging to investigate the threat. Analysis of the malware is further complicated by the use of a crypter.

Iran appears to have several cyber espionage groups, including APT33, Rocket Kitten, Cobalt Gypsy (Magic Hound), Charming Kitten (aka Newscaster and NewsBeef) and CopyKittens.

Related: Attribution Hell - Cyberspies Hacking Other Cyberspies

Related: Iranian Hackers Exploit Recent Office 0-Day in Attacks

Related: Iranian Group Delivers Malware via Fake Oxford University Sites

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.