ClearSky Security discovered a new campaign conducted by the Iranian OilRig APT leveraging digitally signed malware and fake University of Oxford domains.

The OilRig hacker group is an Iran-linked APT that has been around since at least 2015.

Researchers at Palo Alto Networks have been monitoring the group for some time and have reported attacks launched against government agencies, financial institutions and technology companies in Saudi Arabia, Israel, the United Arab Emirates, Lebanon, Kuwait and Qatar, the United States, and Turkey.

The name OilRig was used by Palo Alto Networks to identify the campaign of this specific threat actor that leveraged on weaponized Microsoft Excel spreadsheets tracked as “Clayslide” and a backdoor called “Helminth.”

Now we have a new update on the activity of the OilRig APT that in a recent string of attacks targeted several Israeli organizations, including IT vendors, the national postal service, and financial institutions.

Security experts from ClearSky discovered that the Iranian hackers set up a fake Juniper Networks VPN portal and used compromised email accounts from IT vendors to lure victims to it.

The hackers used the email accounts of the IT vendors to send messages containing links to the fake VPN portal to the victims.

analysis from ClearSky. “The email was sent from a compromised account of an IT vendor. Similar emails were sent from other IT vendors in the same time period, suggesting the attackers had a foothold within their networks, or at least could get access to specific computers or email accounts.” reads thefrom ClearSky.

When the victims land on the rogue Juniper website, they were instructed to install a VPN client, in this case, attackers used a legitimate software from Juniper Networks packaged with the Helminth malware.

Hackers signed the malicious VPN client with a valid code-signing certificate issued by Symantec to a US-based software company called AI Squared. The researchers also discovered a second sample of the Helminth malware signed with another certificate.

“Another Helminth sample, 1c23b3f11f933d98febfd5a92eb5c715, was signed with a different AI Squared code signing certificate:

Thumbprint: 92B8C0872BACDC226B9CE4D783D5CCAD61C6158A

Serial number:62 E0 44 E7 37 24 61 2D 79 4B 93 AF 97 46 13 48

This suggest that the attackers had got a hold of an AI Squared signing key, potentially after compromising their network. Alternatively, the attackers might have got Symantec to issue them a certificate under AI Squared’s name.” states the analysis.

Researchers also discovered other attacks in which the OilRig group used four domain names apparently belonging to Oxford University (including oxford-symposia[.]com, oxford-careers[.]com, oxford[.]in and oxford-employee[.]com).

In one case the hackers set up a fake Oxford conference registration website, when the victims visited it they were instructed to install a tool allegedly needed for pre-registration that hides a malware. Also in this case, the tool is signed with an AI Squared certificate.

In December 2015, researchers at Symantec detailed the activities of two Iran-based hacker groups, dubbed Cadelle and Chafer, that used the backdoor.Cadelspy and backdoor.Remexi to spy on Iranian individuals and Middle Eastern organizations.

The IP address 83.142.230.138 mentioned in the Symantec report linked to the C&C infrastructure used by the Chafer group is the same used by the OilRig.

“Backdoor.Remexi, one of the malware in use by Chafer, had the following command and control host:

87pqxz159.dockerjsbin[.]com

Interestingly, IP address 83.142.230.138, which serve as a command and control address for an OilRig related sample (3a5fcba80c1fd685c4b5085d9d474118), was pointed to by 87pqxz159.dockerjsbin[.]com as well.”

This circumstance suggests that the Chafer and Oilrig are the same Iranian entity.

Further technical details and Indicators of Compromise are available in the ClearSky report.

Pierluigi Paganini

(Security Affairs – OilRig Campaign, Helminth Backdoor)

UPDATE

Note a new domain that was set up after the post was published…. now alive

Oxford-Symposium[.]com

Share this...

Linkedin Reddit Pinterest

Share On