The Iran-linked cyber-espionage group OilRig has started using three new malware families in campaigns observed over the past month, FireEye reports.
Also referred to as APT34, the hacking group has been active since at least 2014, mainly focused on targeting organizations in the financial, government, energy, telecoms, and chemical sectors in the Middle East.
The newly identified campaign is characterized by the use of both new malware and additional infrastructure, including the abuse of LinkedIn to deliver malicious documents. As part of the attacks, the actor pose as a member of Cambridge University to gain victims’ trust to open malicious documents.
As part of this newly observed activity, which mainly targeted energy and utilities, government, and oil and gas industries, APT34 deployed not only PowerShell-developed malware, but also Golang-based tools. The actor also was used the PICKPOCKET malware once again.
The first of the newly deployed malware is named TONEDEAF, a backdoor that communicates with a command and control (C&C) server using HTTP GET and POST requests. The malware was designed to collect system information, upload and download files, and facilitate arbitrary shell command execution.
The malware was deployed via an .xls file delivered via a LinkedIn message received from someone claiming to work at the University of Cambridge. The spreadsheet created an executable file on the local system and a scheduled task to run it every minute.
The malware would use offlineearthquake[.]com as a potential C&C, and FireEye managed to identify two other malware families that connect to the same domain, namely VALUEVAULT and LONGWATCH. The same server would also host a variant of PICKPOCKET, a browser credential-theft tool.
LONGWATCH, which was found on the C&C under the name of WinNTProgram.exe, is a keylogger that saves all keystrokes to a log.txt file in the Window’s temp folder.
VALUEVAULT, which was identified as b.exe, is a Golang compiled version of the “Windows Vault Password Dumper” browser credential theft tool from Massimiliano Montoro. Similar to the original, it can extract credentials stored in the Windows Vault and also call PowerShell to extract browser history.
PICKPOCKET, which was found on the server in both 64- and 32-bit variants, is a credential theft tool designed to dump the user’s website login credentials from Chrome, Firefox, and Internet Explorer. The tool was previously observed used in a Mandiant incident and has been solely utilized by APT34 to date.
“We suspect this will not be the last time APT34 brings new tools to the table. Threat actors are often reshaping their TTPs to evade detection mechanisms, especially if the target is highly desired. For these reasons, we recommend organizations remain vigilant in their defenses, and remember to view their environment holistically when it comes to information security,” FireEye concludes.
Related: U.S. Cyber Command Warns of Outlook Flaw Exploited by Iranian Hackers
Related: Source Code of New Iran-Linked Hacking Tool Posted Online

More from Ionut Arghire
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Malicious NPM, PyPI Packages Stealing User Information
Latest News
- Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
- US Downs Chinese Balloon Off Carolina Coast
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
