Iranian Hackers Adopt New Methods

Uploaded on 2018-04-10 in NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-Iran, GOVERNMENT-National, FREE TO VIEW, TECHNOLOGY--Hackers

An Iran-linked cyber-espionage group has been using new malware and data exfiltration techniques in recent attacks, security firm Nyotron has discovered.

The threat actor, known as OilRig, has been active since 2015, mainly targeting United States and Middle Eastern organisations in the financial and government industries.

The group has been already observed using multiple tools and adopting new exploits fast, as well as switching to new Trojans in recent attacks.

Nyotron now says that OilRig has used roughly 20 different tools it its latest campaign, including off-the-shelf, dual-purpose utilities and previously unseen malware.

In addition to data exfiltration, the group has been heavily focused on bypassing network-level security products to establish a foothold into targeted environments.

Since November 2017, the notorious Iran-linked threat group has been targeting various organisations in the Middle East with evolved tactics, techniques and procedures (TTPs), including the abuse of Google Drive and SmartFile for command and control (C&C) purposes, Nyotron’s report (PDF) reveals.

After compromising a targeted network (phishing emails are likely used to steal login credentials), the group downloads necessary tools from public file sharing services such as Dropbox, Degoo, Files.fm, and File.ac, and from an attacker-controlled server.

The hackers used Windows shares to transfer tools to endpoints that did not have an Internet connection or had downloads blocked by firewalls. They also used web shells to upload and execute files on compromised servers.

For the attacks, the hacker(s) built a sophisticated Remote Access Trojan (RAT) that uses Google Drive for C&C purposes and which is deployed on the target systems as a file named Service.exe. The malware registers as a service to achieve persistence, receives commands from the attacker’s account on Google Drive, and sends files to it.

With no anti-virus programs in VirusTotal detecting the RAT, multiple organisations appear to have been compromised by the malware. The account used to control the malware was created in August 2015, but wasn’t used until recently.

Another tool employed in this campaign is SmartFile.exe, which includes functionality supposedly taken from a GitHub repository, but with expanded capabilities. The tool uses SmartFile as C&C and can download and upload files to the file sharing service, in addition to executing received commands.

In addition to these tools, the attackers also leveraged a scheduled task running PowerShell scripts using AutoIt to gain persistence on the targeted systems. The analysed code, Nyotron says, is almost identical to the one used in an OilRig attack back in 2016.

The security researchers also discovered two main .aspx files the attackers used to gain persistence on Internet Information Services (IIS) Web servers.

One of the files allowed the attackers to upload files to the system and was tailored to fit the folder paths of each server. A web shell was used to execute an arbitrary command on the infected machine using cmd.exe.

The OilRig hackers used a malicious IIS ISAPI filter as a covert way to execute commands on the compromised machine, and also deployed Myrtille onto infected machines (a tool that provides access to remote desktops and applications), but haven’t used the utility yet. Additionally, they deployed rpc.exe, a Meterpreter payload to gain persistence and support for various commands.

For privilege escalation on the compromised environments, the attackers mainly used variations of Mimikatz, but also attempted to use ProcDump to dump lsass.exe process memory.

For internal reconnaissance, the attackers used both legitimate and specially crafted tools, including Port Scanner (PS) to scan internal networks and external addresses, NBTScan to scan for open NETBIOS Name Servers on local or remote TCP/IP networks, and a tool to scan for EternalBlue exploitability (taken from a GitHub repository and converted to an executable using PyInstaller).

The attackers mainly used the EternalBlue exploit for lateral movement in the compromised networks. The exploits were likely taken from GitHub as well, and transformed from Python files into executables using PyInstaller. PsExec was also used to launch arbitrary commands on remote hosts in the network.

“State attackers and advanced hacking groups are continually finding new approaches to augment previous successful attacks. This latest OilRig evolution serves as a reminder that security leaders need to strengthen their endpoint protection using the defense in depth approach to safeguard against malware adopting next-generation tools and techniques,” Nir Gaist, founder and CTO of Nyotron, said.

Security Week

You Might Also Read: 

The Resurgent Cyber Threat From Iran:

Iran’s Cyber Capabilities:

 

« Home Working Is A Threat To Cybersecurity
Cyber Terrorism Will Be A Top Threat By 2020 »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Cyber Secure Forum

Cyber Secure Forum

The Cyber Secure Forum is a premier cybersecurity event dedicated to bringing together experts, and professionals to explore the latest trends, share knowledge, and discuss strategies.

Spanish National Cybersecurity Institute (INCIBE)

Spanish National Cybersecurity Institute (INCIBE)

INCIBE undertakes research, service delivery and coordination for building cybersecurity at the national and international levels.

EG-CERT

EG-CERT

EG-CERT is the national Computer Emergency Response Team for Egypt.

Global Information Assurance Certification (GIAC)

Global Information Assurance Certification (GIAC)

GIAC provides certification in the knowledge and skills necessary for a practitioner in key areas of computer, information and software security.

Sequitur Labs

Sequitur Labs

Sequitur Labs is developing seminal technologies and solutions to secure and manage connected devices of today and in the future.

CyPhyCon

CyPhyCon

CyPhyCon is an annual event exploring threats and solutions to cyber attacks on cyber-physical systems such as industrial control systems, Internet of Things and Industrial Internet of Things.

Base Cyber Security

Base Cyber Security

Base Cyber Security is an information and cyber security talent service provider and career specialist.

Trust Stamp

Trust Stamp

Trust Stamp provide Identity and Trust as a Service to answer two fundamental questions: “Who are you?” and “Do I trust you?"

Cutting Edge Technologies (CE Tech)

Cutting Edge Technologies (CE Tech)

CE Tech is a Next Generation Technology Partner providing advanced technology infrastructure solutions through partnerships with leading technology providers.

TekSek Cyber Security

TekSek Cyber Security

Preparing you for tomorrow's security threats.

OSIbeyond

OSIbeyond

OSIbeyond provides comprehensive Managed IT Services to organizations in the Washington D.C., MD, and VA area including IT Help Desk Support, Cloud Solutions, Cybersecurity, and Technology Strategy.

Edgile

Edgile

Edgile is the trusted cyber risk and regulatory compliance partner to the world’s leading organizations, providing consulting, managed services, and harmonized regulatory content.

Advantex Network Solutions

Advantex Network Solutions

Advantex Network Solutions are a leading provider in Mitel, IT Solutions, Networking, and iP surveillance.

Resilience Cyber insurance

Resilience Cyber insurance

Resilience helps to improve cyber resilience by connecting cyber insurance coverage with advanced cybersecurity visibility and a shared plan to reinforce great cyber hygiene.

Sidcon International Consulting Company

Sidcon International Consulting Company

SIDCON International Consulting Company has been providing consulting services since 2002 for private and public organizations in Ukraine and other countries.

QPoint Technologies

QPoint Technologies

QPoint provides solutions and consulting in areas including software engineering, testing, cybersecurity, ICT, web, mobile, project management, and complex integration processes.