Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Iranian Hackers Use New Malware in Recent Attacks

The Iran-linked cyber-espionage group OilRig has started using three new malware families in campaigns observed over the past month, FireEye reports.

The Iran-linked cyber-espionage group OilRig has started using three new malware families in campaigns observed over the past month, FireEye reports.

Also referred to as APT34, the hacking group has been active since at least 2014, mainly focused on targeting organizations in the financial, government, energy, telecoms, and chemical sectors in the Middle East.

The newly identified campaign is characterized by the use of both new malware and additional infrastructure, including the abuse of LinkedIn to deliver malicious documents. As part of the attacks, the actor pose as a member of Cambridge University to gain victims’ trust to open malicious documents. 

As part of this newly observed activity, which mainly targeted energy and utilities, government, and oil and gas industries, APT34 deployed not only PowerShell-developed malware, but also Golang-based tools. The actor also was used the PICKPOCKET malware once again. 

The first of the newly deployed malware is named TONEDEAF, a backdoor that communicates with a command and control (C&C) server using HTTP GET and POST requests. The malware was designed to collect system information, upload and download files, and facilitate arbitrary shell command execution. 

The malware was deployed via an .xls file delivered via a LinkedIn message received from someone claiming to work at the University of Cambridge. The spreadsheet created an executable file on the local system and a scheduled task to run it every minute. 

The malware would use offlineearthquake[.]com as a potential C&C, and FireEye managed to identify two other malware families that connect to the same domain, namely VALUEVAULT and LONGWATCH. The same server would also host a variant of PICKPOCKET, a browser credential-theft tool. 

LONGWATCH, which was found on the C&C under the name of WinNTProgram.exe, is a keylogger that saves all keystrokes to a log.txt file in the Window’s temp folder. 

VALUEVAULT, which was identified as b.exe, is a Golang compiled version of the “Windows Vault Password Dumper” browser credential theft tool from Massimiliano Montoro. Similar to the original, it can extract credentials stored in the Windows Vault and also call PowerShell to extract browser history. 

PICKPOCKET, which was found on the server in both 64- and 32-bit variants, is a credential theft tool designed to dump the user’s website login credentials from Chrome, Firefox, and Internet Explorer. The tool was previously observed used in a Mandiant incident and has been solely utilized by APT34 to date.

“We suspect this will not be the last time APT34 brings new tools to the table. Threat actors are often reshaping their TTPs to evade detection mechanisms, especially if the target is highly desired. For these reasons, we recommend organizations remain vigilant in their defenses, and remember to view their environment holistically when it comes to information security,” FireEye concludes. 

Related: U.S. Cyber Command Warns of Outlook Flaw Exploited by Iranian Hackers

Related: Source Code of New Iran-Linked Hacking Tool Posted Online

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...