Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Iranian Hackers Use New Trojan in Recent Attacks

The cyberespionage group known as OilRig and previously linked to Iran has been observed using a new Trojan in recent attacks, Palo Alto Networks reports.

The cyberespionage group known as OilRig and previously linked to Iran has been observed using a new Trojan in recent attacks, Palo Alto Networks reports.

A highly active group mainly targeting organizations in the Middle East, OilRig was attempting to deliver a Trojan called OopsIE in two attacks targeting an insurance agency and a financial institution in the Middle East. While one of the attacks relied on a variant of the ThreeDollars delivery document, the other attempted to deliver the malware to the victim directly, likely via a link in a spear phishing email.

The first attack occurred on January 8, 2018, and started with two emails being sent to two different email addresses at the same organization within a six minutes time span. Both messages originated from an email address associated with the Lebanese domain of a major global financial institution, but researchers from Palo Alto Networks believe the email address was spoofed.

On January 16, OilRig targeted an organization that it had also hit a year ago. The OopsIE Trojan was downloaded from the command and control (C&C) server directly, suggesting that the server was being used for staging as well. It also suggests that group might have changed tactics after the targeted organization took measures to counter known OilRig TTPs following last year’s incident.

The ThreeDollars samples collected in the new attacks were similar to those analyzed in October 2017, using the same lure image (albeit a cropped and edited version) that tricks users into enabling macros. While executing a malicious macro in the background, the malicious document displays a decoy image to lower suspicion, although it is a fake error message.

The macro creates a scheduled task that executes after one minute to decode base64 encoded data using the Certutil application, and another task that executes after two minutes, running a VBScript to execute the OopsIE Trojan and clean up the installation.

Packed with SmartAssembly, the Trojan is obfuscated with ConfuserEx and achieves persistence by creating a VBScript file. It also creates a scheduled task to run itself every three minutes. The malware communicates with the C&C over HTTP, using the InternetExplorer application object.

“The Trojan will construct specific URLs to communicate with the C2 server and parses the C2 server’s response looking for content within the tags <pre> and </pre>. The initial HTTP request acts as a beacon,” the researchers explain.

The Trojan extracts and loads an embedded assembly by concatenating the contents of two resources, a technique the OilRig group was already known to employ.

Based on responses received from the server, the Trojan can run a command, upload a file, or download a specified file.

In addition to the use of the ThreeDollars delivery document, the newly observed attacks overlap with previous incidents involving the OilRig group in that they use the C&C domain msoffice365cdn[.]com. The researchers also linked the domain’s registrant to the office365-management[.]com and office365-technical[.]info domains and believe the OilRig group is behind all of them. The IP msoffice365cdn[.]com resolves to was also associated with the group.

“This group has repeatedly shown evidence of a willingness to adapt and evolve their tactics, while also reusing certain aspects as well. We have now observed this adversary deploy a multitude of tools, with each appearing to be some form of iterative variation of something used in the past. However, although the tools themselves have morphed over time, the plays they have executed in their playbook largely remain the same when examined over the attack life cycle,” Palo Alto concludes.

Related: Iranian Hackers Target IIS Web Servers With New Backdoor

Related: Iranian Cyberspies Exploit Recently Patched Office Flaw

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.