Iranian Malware Delivered Via Fake Oxford University Sites

Uploaded on 2017-01-30 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-Iran, FREE TO VIEW

An Iran-linked advanced persistent threat (APT) group dubbed OilRig has used a fake Juniper Networks VPN portal and fake University of Oxford websites to deliver malware to victims.

OilRig has been around since at least 2015 and its campaigns have been analyzed by several researchers, including from FireEye and Palo Alto Networks. The attackers have targeted organisations in Saudi Arabia, Israel, the United States, Turkey, the United Arab Emirates, Lebanon, Kuwait and Qatar, including government agencies, financial institutions and tech companies.

Recent attacks observed by researchers at ClearSky have been aimed at several Israeli organisations, including IT vendors, financial institutions and the country’s national postal service.

In some of the attacks seen by ClearSky, the threat actor set up a fake Juniper Networks VPN portal and used compromised email accounts from IT vendors to lure victims to it. It’s unclear if the malicious actor compromised the affected vendors’ entire networks or just the email accounts they used to send out messages containing links to the fake VPN portal.

Once taken to the fake Juniper website, victims were instructed to install a VPN client, a legitimate piece of software from Juniper Networks bundled with Helminth, a piece of malware known to be used by OilRig.

According to researchers, these files had been signed with a valid code-signing certificate issued by Symantec to a US-based software company called AI Squared. A different Helminth sample found by ClearSky was signed with a different certificate issued to the same company.

“This suggest that the attackers had got a hold of an AI Squared signing key, potentially after compromising their network,” researchers said. “Alternatively, the attackers might have got Symantec to issue them a certificate under AI Squared’s name.”

In other OilRig attacks, the threat group registered four domain names apparently belonging to Oxford University, including oxford-symposia.com, oxford-careers.com, oxford.in and oxford-employee.com.

The first domain mimicked an Oxford conference registration website and instructed visitors to install a tool allegedly needed for pre-registration. The tool, also signed with an AI Squared certificate, prompts users to provide various types of personal information and generates what it claims to be a “pre-registration form.”

Users are then instructed to send the form to an email address hosted on the attackers’ second domain, oxford-careers[.]com. At one point, this domain was linked to oxford[.]in, which had stored some documents, but researchers could not determine what these files contained as they were unavailable during their analysis.

The last fake Oxford domain, oxford-employee.com, hosted a job application website and provided users an “official” Oxford CV creator. The fake CV creator is also a tool created by the attackers.

In a blog post published in October, Palo Alto Networks revealed that OilRig had used an IP address mentioned in 2015 by Symantec in a report describing the activities of two Iran-based threat groups, named Cadelle and Chafer, that appeared to be linked. ClearSky has confirmed that the same IP address has been linked to both OilRig and a piece of malware used by Chafer.

While attribution is often difficult, evidence found by researchers suggests that OilRig is based in Iran, including the use of the Persian language in the malware samples, and information associated with the command and control domains used by the group.

Security Week:      Destructive Cyber Attack On Saudi Kingdom:    The Growing Cyber Threat From Iran:

 

« Cyberwar: How Prepared Is Nepal?
Smart City Technology Is Growing »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Brookings Institution

Brookings Institution

The Brookings Institution is a nonprofit public policy organization. Cyber security is covered within the various study areas.

CANVAS Consortium

CANVAS Consortium

The CANVAS Consortium aims to unify technology developers with legal and ethical scholar and social scientists to approach the challenges of cybersecurity.

Advantech

Advantech

Advantech is a leader in providing trusted innovative embedded and automation products and solutions. Activities include IoT security.

CLDigital

CLDigital

CLDigital's no-code risk and resilience platform, CL360, provides leaders with risk and resilience data to make strategic and tactical continuity decisions.

CMMI Institute

CMMI Institute

CMMI Institute enables organizations to elevate and benchmark performance across a range of critical business capabilities, including product development, data management and cybersecurity.

Cyber Covered

Cyber Covered

Cyber Covered provide complete website & data cover with market leading cyber insurance and powerful compliance software in one affordable package.

Gijima

Gijima

Gijima is one of SA’s leading ICT companies in Cloud & Outsourcing, Systems integration, Human Capital Management & Training, Cybersecurity, and Unified Communications.

Safetech Innovations

Safetech Innovations

Safetech Innovations is a team of cyber security experts, always at your service. We use human and cyber intelligence to help your business in uncertain times.

CrowdSec

CrowdSec

CrowdSec is an open-source & participative IPS able to analyze visitor behavior by parsing logs & provide an adapted response to all kinds of attacks.

GeoEdge

GeoEdge

GeoEdge is the premier provider of ad security and quality solutions for the online and mobile advertising ecosystem.

link22

link22

link22 offers a high level of expertise within IT security and system solutions. We help public and private actors with highly secure IT-solutions.

LAVAAT

LAVAAT

At LAAVAT, our goal is to make it easy for our customers to build secure IoT devices without a need to invest considerably in embedded security and cryptography expertise.

Evolver

Evolver

Evolver delivers technology services and solutions that improve security, promote innovation, and maximize operational efficiency in support of government and commercial customers.

ConvergePoint

ConvergePoint

ConvergePoint is the leading compliance software provider on the Microsoft Office 365 SharePoint platform.

Camelot Secure

Camelot Secure

Camelot Secure Secure360 platform is a holistic redefinition of what world-class cybersecurity strategies can be. Prepare. Protect. Deploy.

S4E (Security for Everyone)

S4E (Security for Everyone)

At S4E.io, our mission is to democratize digital security, making it accessible, simple, and effective for individuals and businesses of all sizes.