Connect with us

Hi, what are you looking for?



Iranian Group Delivers Malware via Fake Oxford University Sites

An Iran-linked advanced persistent threat (APT) group dubbed OilRig has used a fake Juniper Networks VPN portal and fake University of Oxford websites to deliver malware to victims.

An Iran-linked advanced persistent threat (APT) group dubbed OilRig has used a fake Juniper Networks VPN portal and fake University of Oxford websites to deliver malware to victims.

OilRig has been around since at least 2015 and its campaigns have been analyzed by several researchers, including from FireEye and Palo Alto Networks. The attackers have targeted organizations in Saudi Arabia, Israel, the United States, Turkey, the United Arab Emirates, Lebanon, Kuwait and Qatar, including government agencies, financial institutions and tech companies.

Recent attacks observed by researchers at ClearSky have been aimed at several Israeli organizations, including IT vendors, financial institutions and the country’s national postal service.

In some of the attacks seen by ClearSky, the threat actor set up a fake Juniper Networks VPN portal and used compromised email accounts from IT vendors to lure victims to it. It’s unclear if the malicious actor compromised the affected vendors’ entire networks or just the email accounts they used to send out messages containing links to the fake VPN portal.

Once taken to the fake Juniper website, victims were instructed to install a VPN client, a legitimate piece of software from Juniper Networks bundled with Helminth, a piece of malware known to be used by OilRig.

According to researchers, these files had been signed with a valid code-signing certificate issued by Symantec to a US-based software company called AI Squared. A different Helminth sample found by ClearSky was signed with a different certificate issued to the same company.

“This suggest that the attackers had got a hold of an AI Squared signing key, potentially after compromising their network,” researchers said. “Alternatively, the attackers might have got Symantec to issue them a certificate under AI Squared’s name.”

In other OilRig attacks, the threat group registered four domain names apparently belonging to Oxford University, including oxford-symposia[.]com, oxford-careers[.]com, oxford[.]in and oxford-employee[.]com.

Advertisement. Scroll to continue reading.

The first domain mimicked an Oxford conference registration website and instructed visitors to install a tool allegedly needed for pre-registration. The tool, also signed with an AI Squared certificate, prompts users to provide various types of personal information and generates what it claims to be a “pre-registration form.”

Users are then instructed to send the form to an email address hosted on the attackers’ second domain, oxford-careers[.]com. At one point, this domain was linked to oxford[.]in, which had stored some documents, but researchers could not determine what these files contained as they were unavailable during their analysis.

The last fake Oxford domain, oxford-employee[.]com, hosted a job application website and provided users an “official” Oxford CV creator. The fake CV creator is also a tool created by the attackers.

Fake Oxford University CV creator tool

In a blog post published in October, Palo Alto Networks revealed that OilRig had used an IP address mentioned in 2015 by Symantec in a report describing the activities of two Iran-based threat groups, named Cadelle and Chafer, that appeared to be linked. ClearSky has confirmed that the same IP address has been linked to both OilRig and a piece of malware used by Chafer.

While attribution is often difficult, evidence found by researchers suggests that OilRig is based in Iran, including the use of the Persian language in the malware samples, and information associated with the command and control (C&C) domains used by the group.

Related: “Gaza Cybergang” Attacks Attributed to Hamas

Related: Iran-Linked Espionage Group Continues Attacks on Middle East

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.