Iranian Hackers Adopt New Methods

Uploaded on 2018-04-10 in NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-Iran, GOVERNMENT-National, FREE TO VIEW, TECHNOLOGY--Hackers

An Iran-linked cyber-espionage group has been using new malware and data exfiltration techniques in recent attacks, security firm Nyotron has discovered.

The threat actor, known as OilRig, has been active since 2015, mainly targeting United States and Middle Eastern organisations in the financial and government industries.

The group has been already observed using multiple tools and adopting new exploits fast, as well as switching to new Trojans in recent attacks.

Nyotron now says that OilRig has used roughly 20 different tools it its latest campaign, including off-the-shelf, dual-purpose utilities and previously unseen malware.

In addition to data exfiltration, the group has been heavily focused on bypassing network-level security products to establish a foothold into targeted environments.

Since November 2017, the notorious Iran-linked threat group has been targeting various organisations in the Middle East with evolved tactics, techniques and procedures (TTPs), including the abuse of Google Drive and SmartFile for command and control (C&C) purposes, Nyotron’s report (PDF) reveals.

After compromising a targeted network (phishing emails are likely used to steal login credentials), the group downloads necessary tools from public file sharing services such as Dropbox, Degoo, Files.fm, and File.ac, and from an attacker-controlled server.

The hackers used Windows shares to transfer tools to endpoints that did not have an Internet connection or had downloads blocked by firewalls. They also used web shells to upload and execute files on compromised servers.

For the attacks, the hacker(s) built a sophisticated Remote Access Trojan (RAT) that uses Google Drive for C&C purposes and which is deployed on the target systems as a file named Service.exe. The malware registers as a service to achieve persistence, receives commands from the attacker’s account on Google Drive, and sends files to it.

With no anti-virus programs in VirusTotal detecting the RAT, multiple organisations appear to have been compromised by the malware. The account used to control the malware was created in August 2015, but wasn’t used until recently.

Another tool employed in this campaign is SmartFile.exe, which includes functionality supposedly taken from a GitHub repository, but with expanded capabilities. The tool uses SmartFile as C&C and can download and upload files to the file sharing service, in addition to executing received commands.

In addition to these tools, the attackers also leveraged a scheduled task running PowerShell scripts using AutoIt to gain persistence on the targeted systems. The analysed code, Nyotron says, is almost identical to the one used in an OilRig attack back in 2016.

The security researchers also discovered two main .aspx files the attackers used to gain persistence on Internet Information Services (IIS) Web servers.

One of the files allowed the attackers to upload files to the system and was tailored to fit the folder paths of each server. A web shell was used to execute an arbitrary command on the infected machine using cmd.exe.

The OilRig hackers used a malicious IIS ISAPI filter as a covert way to execute commands on the compromised machine, and also deployed Myrtille onto infected machines (a tool that provides access to remote desktops and applications), but haven’t used the utility yet. Additionally, they deployed rpc.exe, a Meterpreter payload to gain persistence and support for various commands.

For privilege escalation on the compromised environments, the attackers mainly used variations of Mimikatz, but also attempted to use ProcDump to dump lsass.exe process memory.

For internal reconnaissance, the attackers used both legitimate and specially crafted tools, including Port Scanner (PS) to scan internal networks and external addresses, NBTScan to scan for open NETBIOS Name Servers on local or remote TCP/IP networks, and a tool to scan for EternalBlue exploitability (taken from a GitHub repository and converted to an executable using PyInstaller).

The attackers mainly used the EternalBlue exploit for lateral movement in the compromised networks. The exploits were likely taken from GitHub as well, and transformed from Python files into executables using PyInstaller. PsExec was also used to launch arbitrary commands on remote hosts in the network.

“State attackers and advanced hacking groups are continually finding new approaches to augment previous successful attacks. This latest OilRig evolution serves as a reminder that security leaders need to strengthen their endpoint protection using the defense in depth approach to safeguard against malware adopting next-generation tools and techniques,” Nir Gaist, founder and CTO of Nyotron, said.

Security Week

You Might Also Read: 

The Resurgent Cyber Threat From Iran:

Iran’s Cyber Capabilities:

 

« Home Working Is A Threat To Cybersecurity
Cyber Terrorism Will Be A Top Threat By 2020 »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Parasoft

Parasoft

Parasoft is an independent software testing and software quality assurance tool and solution vendor.

HUB International

HUB International

HUB is one of the largest insurance brokers in the world. HUB Risk Services provides the full range of expert consulting to identify risks, reduce exposure to loss and manage claims issues.

Ensign InfoSecurity

Ensign InfoSecurity

Ensign InfoSecurity is Southeast Asia’s largest pure-play cybersecurity firm.

LightEdge Solutions

LightEdge Solutions

LightEdge’s highly-trained compliance and security experts take the guesswork out of keeping your business protected.

Mitre ATT&CK

Mitre ATT&CK

MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.

RIGCERT

RIGCERT

RIGCERT provides training, audit and certification services for multiple fields including Information Security.

Base Cyber Security

Base Cyber Security

Base Cyber Security is an information and cyber security talent service provider and career specialist.

Findcourses.com

Findcourses.com

Findcourses is a dedicated education search engine designed to make it easy for our learners to search and find exactly what they need from our community of trusted training providers.

David Hayes-Export Controls

David Hayes-Export Controls

David Hayes-Export Controls provides assistance to companies affected by export controls or who are considering entering the market but are unsure of the commercial and regulatory implications.

Privacyware

Privacyware

Privacyware's ThreatSentry combines a state-of-the-art Web Application Firewall and port-level firewall with advanced behavioral filtering to block unwanted IIS traffic and web application threats.

Cardonet

Cardonet

Cardonet is an IT Support and IT Services business offering end-to-end IT services, 24x7 IT Support to IT Consultancy, Managed IT and Cyber Security.

Oman Technology Fund (OTF)

Oman Technology Fund (OTF)

Oman Technology Fund aims to make Oman the preferred destination for emerging tech companies in the region, and an attractive and stimulating destination for venture capital.

Lucidum

Lucidum

The Lucidum platform helps you assess risk and mitigate vulnerabilities by finding and correlating data from your security tech stack.

iNovex

iNovex

iNovex is a community of innovators that work together to solve hard problems. We partner with you to meet problems head-on and push boundaries with technology solutions.

The Purple Guys

The Purple Guys

The Purple Guys offer Trouble-Free IT Support to businesses across the Central and Southern US. Safe and Secure, Rapid Response, Friendly Support that’s our Purple Promise.

NewsGuard Technologies

NewsGuard Technologies

NewsGuard provides transparent tools to counter misinformation for readers, brands, and democracies.