Threats Feed

The OilRig group launched a spear-phishing attack on an organization within the United Arab Emirates government on August 23, 2017. The phishing email contained two malicious attachments, and also used an image hosted on an adversary-owned server to potentially track email opens. OilRig likely gained access to a user's Outlook Web Access (OWA) account within the targeted organization to send phishing emails internally. The attachments included a document with a malicious macro and a file that attempted to exploit the CVE-2017-0199 vulnerability. The ultimate payloads were the new ISMInjector tool and the ISMAgent Trojan, with infrastructure linked to previous OilRig campaigns.

Between April 19-24, 2017, several Israeli organizations, including high-tech development companies, medical entities, and educational institutions were targeted by a politically motivated campaign attributed to the Iranian hacker group responsible for the OilRig malware campaigns. The fileless attack was delivered through compromised email accounts at Ben-Gurion University using Microsoft Word documents exploiting the CVE-2017-0199 vulnerability. The Helminth Trojan was installed as a result, bearing a striking similarity to the OilRig campaign conducted against Middle Eastern financial institutions the previous year. The threat actors exploited the gap between patch release and rollout, with active C&C servers still operational at the time of report publication.

The Iranian threat agent OilRig, active since the end of 2015, has been implicated in a wave of cyber attacks targeting several countries, namely Israel, Turkey, Qatar, Kuwait, UAE, Saudi Arabia, and Lebanon. In their most recent campaigns, they have leveraged advanced strategies, setting up fake VPN portals, counterfeit websites, and using stolen code signing certificates to give their malware an appearance of authenticity. This not only illustrates their high technical capability, but also underscores the complexity and effectiveness of their operations. These attacks have largely targeted IT and financial institutions, causing significant concerns in these sectors.