Iranian Malware Delivered Via Fake Oxford University Sites

An Iran-linked advanced persistent threat (APT) group dubbed OilRig has used a fake Juniper Networks VPN portal and fake University of Oxford websites to deliver malware to victims.

OilRig has been around since at least 2015 and its campaigns have been analyzed by several researchers, including from FireEye and Palo Alto Networks. The attackers have targeted organisations in Saudi Arabia, Israel, the United States, Turkey, the United Arab Emirates, Lebanon, Kuwait and Qatar, including government agencies, financial institutions and tech companies.

Recent attacks observed by researchers at ClearSky have been aimed at several Israeli organisations, including IT vendors, financial institutions and the country’s national postal service.

In some of the attacks seen by ClearSky, the threat actor set up a fake Juniper Networks VPN portal and used compromised email accounts from IT vendors to lure victims to it. It’s unclear if the malicious actor compromised the affected vendors’ entire networks or just the email accounts they used to send out messages containing links to the fake VPN portal.

Once taken to the fake Juniper website, victims were instructed to install a VPN client, a legitimate piece of software from Juniper Networks bundled with Helminth, a piece of malware known to be used by OilRig.

According to researchers, these files had been signed with a valid code-signing certificate issued by Symantec to a US-based software company called AI Squared. A different Helminth sample found by ClearSky was signed with a different certificate issued to the same company.

“This suggest that the attackers had got a hold of an AI Squared signing key, potentially after compromising their network,” researchers said. “Alternatively, the attackers might have got Symantec to issue them a certificate under AI Squared’s name.”

In other OilRig attacks, the threat group registered four domain names apparently belonging to Oxford University, including oxford-symposia.com, oxford-careers.com, oxford.in and oxford-employee.com.

The first domain mimicked an Oxford conference registration website and instructed visitors to install a tool allegedly needed for pre-registration. The tool, also signed with an AI Squared certificate, prompts users to provide various types of personal information and generates what it claims to be a “pre-registration form.”

Users are then instructed to send the form to an email address hosted on the attackers’ second domain, oxford-careers[.]com. At one point, this domain was linked to oxford[.]in, which had stored some documents, but researchers could not determine what these files contained as they were unavailable during their analysis.

The last fake Oxford domain, oxford-employee.com, hosted a job application website and provided users an “official” Oxford CV creator. The fake CV creator is also a tool created by the attackers.

In a blog post published in October, Palo Alto Networks revealed that OilRig had used an IP address mentioned in 2015 by Symantec in a report describing the activities of two Iran-based threat groups, named Cadelle and Chafer, that appeared to be linked. ClearSky has confirmed that the same IP address has been linked to both OilRig and a piece of malware used by Chafer.

While attribution is often difficult, evidence found by researchers suggests that OilRig is based in Iran, including the use of the Persian language in the malware samples, and information associated with the command and control domains used by the group.

Security Week:      Destructive Cyber Attack On Saudi Kingdom:    The Growing Cyber Threat From Iran:

 

« Cyberwar: How Prepared Is Nepal?
Smart City Technology Is Growing »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

TrustedIA

TrustedIA

TrustedIA is a cyber and protective security company. Our mission is to help businesses protect themselves from disruptive events that can impact their successful operation.

Rollbar

Rollbar

Rollbar is a full-stack error monitoring platform for web and mobile applications. We help developers find and fix bugs fast. Built by developers for developers.

ShmooCon

ShmooCon

ShmooCon is an annual east coast hacker convention offering three days of demonstrations and discussions of critical infosec issues.

Phoenix Contact Cyber Security

Phoenix Contact Cyber Security

Phoenix Contact Cyber Security is a leading manufacturer of network security appliances for use in industrial environments.

Kramer Levin

Kramer Levin

Kramer Levin is a full-service law firm with offices in New York and Paris. Practice areas include Cybersecurity, Privacy and Data Protection.

Apicrypt

Apicrypt

Apicrypt enables secure communications between health professionals by using strong encryption technologies.

Cyber Defense Agency (CDA)

Cyber Defense Agency (CDA)

Cyber Defense Agency is a premier professional services firm specializing in cyber security, computer network defense, and information security.

InPhySec

InPhySec

InPhySec is a leading New Zealand information, physical and cyber security company.

GreenWorld Technologies

GreenWorld Technologies

GreenWorld has a proven track record in industry leading IT asset management, secure data destruction and remarketing.

QI ANXIN Technology Group

QI ANXIN Technology Group

QI ANXIN specializes in serving the cybersecurity market by offering next generation enterprise-class cybersecurity products and services to government and businesses.

StackHawk

StackHawk

StackHawk is built to help dev teams ship secure code. Find and fix bugs early before they become vulnerabilities in production.

BreachLock

BreachLock

Breachlock delivers the most comprehensive Penetration Testing as a Service (PtaaS) powered by Certified Hackers and AI.

AML Global Solutions (AMLGS)

AML Global Solutions (AMLGS)

AMLGS delivers Financial Crime prevention training programmes and consultancy services encompassing Anti-Money Laundering (AML), Counter Terrorism Financing (CTF), Bribery & Corruption and Fraud.

Infostream

Infostream

Infostream is a leading integrator of Digital Transformations Solutions (DTS); Public, Private, and Hybrid Cloud; Cybersecurity; Data Integrity; DevOps, DevSecOps, and Infrastructures.

Zuul IoT

Zuul IoT

Zuul take an asset-centric approach to OT security, enabling security teams to protect the critical IIoT/IoT devices that are at the foundation of critical business functions.

Teal Technology Consulting

Teal Technology Consulting

TEAL Technology Consulting is your trusted advisor for all your information security needs.