Iranian Hackers Adopt New Methods

Uploaded on 2018-04-10 in NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-Iran, GOVERNMENT-National, FREE TO VIEW, TECHNOLOGY--Hackers

An Iran-linked cyber-espionage group has been using new malware and data exfiltration techniques in recent attacks, security firm Nyotron has discovered.

The threat actor, known as OilRig, has been active since 2015, mainly targeting United States and Middle Eastern organisations in the financial and government industries.

The group has been already observed using multiple tools and adopting new exploits fast, as well as switching to new Trojans in recent attacks.

Nyotron now says that OilRig has used roughly 20 different tools it its latest campaign, including off-the-shelf, dual-purpose utilities and previously unseen malware.

In addition to data exfiltration, the group has been heavily focused on bypassing network-level security products to establish a foothold into targeted environments.

Since November 2017, the notorious Iran-linked threat group has been targeting various organisations in the Middle East with evolved tactics, techniques and procedures (TTPs), including the abuse of Google Drive and SmartFile for command and control (C&C) purposes, Nyotron’s report (PDF) reveals.

After compromising a targeted network (phishing emails are likely used to steal login credentials), the group downloads necessary tools from public file sharing services such as Dropbox, Degoo, Files.fm, and File.ac, and from an attacker-controlled server.

The hackers used Windows shares to transfer tools to endpoints that did not have an Internet connection or had downloads blocked by firewalls. They also used web shells to upload and execute files on compromised servers.

For the attacks, the hacker(s) built a sophisticated Remote Access Trojan (RAT) that uses Google Drive for C&C purposes and which is deployed on the target systems as a file named Service.exe. The malware registers as a service to achieve persistence, receives commands from the attacker’s account on Google Drive, and sends files to it.

With no anti-virus programs in VirusTotal detecting the RAT, multiple organisations appear to have been compromised by the malware. The account used to control the malware was created in August 2015, but wasn’t used until recently.

Another tool employed in this campaign is SmartFile.exe, which includes functionality supposedly taken from a GitHub repository, but with expanded capabilities. The tool uses SmartFile as C&C and can download and upload files to the file sharing service, in addition to executing received commands.

In addition to these tools, the attackers also leveraged a scheduled task running PowerShell scripts using AutoIt to gain persistence on the targeted systems. The analysed code, Nyotron says, is almost identical to the one used in an OilRig attack back in 2016.

The security researchers also discovered two main .aspx files the attackers used to gain persistence on Internet Information Services (IIS) Web servers.

One of the files allowed the attackers to upload files to the system and was tailored to fit the folder paths of each server. A web shell was used to execute an arbitrary command on the infected machine using cmd.exe.

The OilRig hackers used a malicious IIS ISAPI filter as a covert way to execute commands on the compromised machine, and also deployed Myrtille onto infected machines (a tool that provides access to remote desktops and applications), but haven’t used the utility yet. Additionally, they deployed rpc.exe, a Meterpreter payload to gain persistence and support for various commands.

For privilege escalation on the compromised environments, the attackers mainly used variations of Mimikatz, but also attempted to use ProcDump to dump lsass.exe process memory.

For internal reconnaissance, the attackers used both legitimate and specially crafted tools, including Port Scanner (PS) to scan internal networks and external addresses, NBTScan to scan for open NETBIOS Name Servers on local or remote TCP/IP networks, and a tool to scan for EternalBlue exploitability (taken from a GitHub repository and converted to an executable using PyInstaller).

The attackers mainly used the EternalBlue exploit for lateral movement in the compromised networks. The exploits were likely taken from GitHub as well, and transformed from Python files into executables using PyInstaller. PsExec was also used to launch arbitrary commands on remote hosts in the network.

“State attackers and advanced hacking groups are continually finding new approaches to augment previous successful attacks. This latest OilRig evolution serves as a reminder that security leaders need to strengthen their endpoint protection using the defense in depth approach to safeguard against malware adopting next-generation tools and techniques,” Nir Gaist, founder and CTO of Nyotron, said.

Security Week

You Might Also Read: 

The Resurgent Cyber Threat From Iran:

Iran’s Cyber Capabilities:

 

« Home Working Is A Threat To Cybersecurity
Cyber Terrorism Will Be A Top Threat By 2020 »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Securosis

Securosis

Securosis is an information security research and advisory firm dedicated to improving the practice of information security.

Law Enforcement Cyber Center (LECC)

Law Enforcement Cyber Center (LECC)

LECC is designed to assist police, digital forensic investigators, detectives, and prosecutors who are investigating and preventing crimes that involve technology.

Indium Software

Indium Software

Indium Software is an Independent Software Testing Company offering software testing services (including security testing) and offshore Quality Assurance solutions.

Seclab

Seclab

Seclab is an innovative player in the protection of industrial systems and critical infrastructure against sophisticated cyber attacks.

AFCON Control & Automation

AFCON Control & Automation

AFCON is a leading global provider of software solutions and services for the smart management of Control & Automation systems in the age of Digital Transformation.

SAASPASS

SAASPASS

SAASPASS is a full-stack identity and access management solution, a single product which allows you to manage all your digital and physical access needs securely and conveniently.

Cyversity

Cyversity

Cyversity's mission (formerly ICMCP) is the consistent representation of women and underrepresented minorities in the cybersecurity industry.

Securis

Securis

Securis provides organizations and agencies with the highest level of professional, ultra-secure data destruction and IT recycling.

Eclypsium

Eclypsium

Eclypsium protects organizations from the foundation of their computing infrastructure upward, controlling the risk and stopping threats inside firmware of laptops, servers, and networks.

Viria

Viria

Viria is an information and security technology solution provider that promotes digitalization in a secure way.

McCrary Institute - Auburn University

McCrary Institute - Auburn University

The McCrary Institute seeks practical solutions to real-world problems in the areas of cyber and critical infrastructure security.

Venustech

Venustech

Venustech is a leading provider of network security products, trusted security management platforms, specialized security services and solutions.

Rimstorm

Rimstorm

Rimstorm’s mission is to significantly improve the security of your data using award-winning, state-of-the-art technology combined with cyber managed security services.

Cyborg Security

Cyborg Security

Cyborg Security is a team of threat hunters, threat intelligence analysts, and security researchers from across North America.

AC3

AC3

AC3 is a leading secure cloud services provider, focused on turning your technology challenges into real results.

Validia

Validia

Validia is a deepfake cybersecurity service that provides proactive and reactive defense to the deepfake threat enterprises increasingly face with the rapid growth of generative AI.