• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
iranian oilrig hackers using new backdoor to exfiltrate data from

Iranian OilRig Hackers Using New Backdoor to Exfiltrate Data from Govt. Organizations

You are here: Home / General Cyber Security News / Iranian OilRig Hackers Using New Backdoor to Exfiltrate Data from Govt. Organizations
February 3, 2023

The Iranian nation-point out hacking group known as OilRig has continued to concentrate on govt corporations in the Middle East as section of a cyber espionage marketing campaign that leverages a new backdoor to exfiltrate facts.

“The marketing campaign abuses genuine but compromised email accounts to mail stolen information to exterior mail accounts controlled by the attackers,” Pattern Micro researchers Mohamed Fahmy, Sherif Magdy, and Mahmoud Zohdy said.

Whilst the strategy in by itself is not unheard of, the growth marks the 1st time OilRig has adopted it in its playbook, indicating the continued evolution of its procedures to bypass security protections.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


The advanced persistent danger (APT) team, also referred to as APT34, Cobalt Gypsy, Europium, and Helix Kitten, has been documented for its qualified phishing attacks in the Center East given that at the very least 2014.

Linked to Iran’s Ministry of Intelligence and Security (MOIS), the team is recognized to use a varied toolset in its operations, with recent attacks in 2021 and 2022 employing backdoors these types of as Karkoff, Shark, Marlin, and Saitama for information theft.

The setting up issue of the most current activity is a .NET-based mostly dropper which is tasked with providing four different information, such as the most important implant (“DevicesSrv.exe”) responsible for exfiltrating particular files of desire.

Also put to use in the 2nd phase is a dynamic-url library (DLL) file which is capable of harvesting credentials from domain users and neighborhood accounts.

The most notable aspect of the .NET backdoor is its exfiltration regime, which involves employing the stolen credentials to deliver digital missives to actor-managed email Gmail and Proton Mail addresses.

“The threat actors relay these e-mail by using authorities Trade Servers utilizing vaild accounts with stolen passwords,” the researchers explained.

The campaign’s connections to APT34 stems from similarities in amongst the initial-phase dropper and Saitama, the victimology patterns, and the use of internet-going through exchange servers as a communication system, as observed in the situation of Karkoff.

If anything, the expanding variety of malicious equipment related with OilRig signifies the risk actor’s “overall flexibility” to come up with new malware dependent on the targeted environments and the privileges possessed at a specified phase of the attack.

“Inspite of the routine’s simplicity, the novelty of the second and very last phases also show that this complete routine can just be a modest part of a greater campaign targeting governments,” the researchers claimed.

Found this post fascinating? Stick to us on Twitter  and LinkedIn to study additional exceptional content we article.


Some components of this post are sourced from:
thehackernews.com

Previous Post: «the pivot: how msps can turn a challenge into a The Pivot: How MSPs can Turn a Challenge Into a Once-in-a-Decade Opportunity
Next Post: Windows 10 users locked out of devices by unskippable Microsoft 365 advert windows 10 users locked out of devices by unskippable microsoft»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Over 2400 Fake Pages Found Targeting Job Seekers in Middle East, Africa
  • CommonMagic Targets Entities in Russo-Ukrainian Conflict Zone
  • Hackers Use NuGet Packages to Target .NET Developers
  • New ‘Bad Magic’ Cyber Threat Disrupt Ukraine’s Key Sectors Amid War
  • NCSC launches free in-browser security threat checks for SMBs
  • Greek intelligence allegedly uses Predator spyware to wiretap Facebook security staffer
  • New ShellBot DDoS Malware Variants Targeting Poorly Managed Linux Servers
  • The Best Defense Against Cyber Threats for Lean Security Teams
  • NCSC Launches Two New Tools for Small Businesses
  • What is the ‘steal now, crack later’ quantum computing threat?

Copyright © TheCyberSecurity.News, All Rights Reserved.