New Backdoor Tactics in Cyber Espionage Campaign: The Iranian nation-state hacking group OilRig, also known as APT34, Cobalt Gypsy, Europium, and Helix Kitten, has been targeting government organizations in the Middle East as part of a cyber espionage campaign.
The group, linked to Iran’s Ministry of Intelligence and Security, has been documented for its targeted phishing attacks in the region since at least 2014. The latest attack against a government official within Jordan’s foreign ministry involved the use of a new backdoor called Saitama, which was delivered via a malicious Excel document.
The document contained a macro that dropped the Saitama backdoor, which uses the DNS protocol to communicate with its command and control server and exfiltrate data. The macro also has the ability to create files and set persistence for the backdoor. The Saitama backdoor operates as a finite-state machine and its entire flow is defined explicitly, changing its state depending on commands sent from the attackers.
OilRig has been known to use a diverse toolset in its operations, with recent attacks employing backdoors such as Karkoff, Shark, Marlin, and Saitama for information theft. The latest campaign marks the first time the group has adopted the technique of using legitimate but compromised email accounts to send stolen data to external mail accounts controlled by the attackers. The threat actors relay these emails via government Exchange Servers using valid accounts with stolen passwords.
Despite the routine’s simplicity, researchers believe that the novelty of the technique used in the latest attack indicates that this could just be a small part of a bigger campaign targeting governments. The growing number of malicious tools associated with OilRig shows the threat actor’s flexibility to come up with new malware based on the targeted environments and the privileges possessed at a given stage of the attack.
Cybersecurity experts recommend that organizations and individuals who may be potential targets of the OilRig/APT34 group to strengthen their protections and stay vigilant against unfamiliar emails. They are also advised to monitor their network activity, ensure their software is up-to-date, and regularly back up important data. By doing so, they can minimize the risk of attack and ensure their data remains secure.