Threats Feed

The report highlights OilRig’s deployment of tools like Helminth, ISMAgent, ALMACommunicator, BONDUPDATER, and QUADAGENT, which utilize DNS queries to communicate stealthily with C2 servers. This covert communication method is favored due to DNS's typical allowance through security devices. The group has evolved its DNS tunneling protocols over time, using customized subdomains and encoding techniques to transmit data and evade detection effectively.

The adversary group, HELIX KITTEN, is employing spear-phishing attacks and using custom PowerShell implants (Helminth and ISMDoor) to target entities in the aerospace, energy, financial, government, hospitality, and telecommunications sectors. With a special focus on the Middle East, specifically Bahrain and Kuwait, the group manipulates DNS AAAA records for command and control, and exfiltrates data, captures screenshots, and executes arbitrary commands on victims' machines. Furthermore, HELIX KITTEN has begun targeting the telecommunications industry, possibly for bulk data collection and rerouting communications for future intelligence activities.

The OilRig group continued its espionage activities, primarily within the Middle East. Between May and June 2018, they orchestrated multiple attacks using compromised accounts from a Middle Eastern government agency, targeting a technology services provider and another government entity. The group leveraged a PowerShell backdoor called QUADAGENT and employed spear-phishing tactics, obfuscation using the Invoke-Obfuscation toolkit, and PE files to achieve their objectives. They also used stolen credentials and decoy dialog boxes to reduce suspicion and evade detection.

The OilRig threat group initiated an attack targeting organizations in the Middle East through spear-phishing emails with a malicious Microsoft Word document called ThreeDollars. The document contained a new payload, OopsIE Trojan, which was delivered either directly or through the document. OilRig implemented different delivery tactics due to prior encounters with their targeted organization. They also adopted password-protected documents as an evasion tactic. The OopsIE Trojan communicated with a C2 server and executed commands provided by it.

Unit 42 monitored OilRig's testing of the TwoFace webshell, specifically its TwoFace++ variant, to evade detection by security tools. Analysis revealed that OilRig's developers systematically modified the webshell's loader script to reduce detection rates, ultimately achieving zero detection by altering code related to the embedded payload's update functionality. The testing involved decoding and encrypting webshell data and frequent code alterations to pinpoint and circumvent security measures. Additionally, another webshell, named DarkSeaGreenShell, was discovered during these tests.

The OilRig threat group has been utilizing a refined version of the Clayslide delivery document for spear-phishing attacks since May 2016. Recently, they have developed a new custom Trojan named "ALMA Communicator", and incorporated the use of Mimikatz for credential harvesting in the delivery phase of the attack. The targets included an individual at a public utilities company in the Middle East. ALMA Communicator uses DNS tunneling for C2 communication and has some data transfer limitations, which may have prompted the early deployment of Mimikatz.

The Iranian threat agent Greenbug registered domains similar to Israeli high-tech and cybersecurity companies, as well as a Saudi Arabian electrical equipment firm. A sample of the ISMdoor malware was submitted from Iraq on October 15, 2017, indicating the threat actor's activities. Despite these registrations, no evidence of direct targeting or impact on these companies is present. High-tech, cybersecurity, online advertising, airport security systems, web development, behavioral biometrics, artificial intelligence, data security, and autonomous driving are sectors potentially of interest to the actor.

The OilRig group launched a spear-phishing attack on an organization within the United Arab Emirates government on August 23, 2017. The phishing email contained two malicious attachments, and also used an image hosted on an adversary-owned server to potentially track email opens. OilRig likely gained access to a user's Outlook Web Access (OWA) account within the targeted organization to send phishing emails internally. The attachments included a document with a malicious macro and a file that attempted to exploit the CVE-2017-0199 vulnerability. The ultimate payloads were the new ISMInjector tool and the ISMAgent Trojan, with infrastructure linked to previous OilRig campaigns.

The article "The Curious Case of Mia Ash" by SecureWorks details a sophisticated cyber espionage campaign. This campaign involved a fake online persona named Mia Ash, created by the threat group COBALT GYPSY, which is associated with Iranian cyber operations. Mia Ash was used to establish relationships with employees in targeted organizations, primarily in the Middle East and North Africa. The persona, active across various social media platforms, was instrumental in delivering malware through seemingly innocent interactions. The case underlines the increasing complexity of cyber threats where social engineering and fake identities are employed to breach security systems.

SecureWorks researchers identified a phishing campaign targeting a Middle Eastern organization in January 2017, linked to COBALT GYPSY (Aka OilRig). The attackers employed spear-phishing emails containing shortened URLs redirecting to spoofed domains. Victims were presented with a malicious Microsoft Office document, which executed PowerShell commands when opened, installing PupyRAT, a multi-platform remote access trojan (RAT).

The Iranian threat agent OilRig, active since the end of 2015, has been implicated in a wave of cyber attacks targeting several countries, namely Israel, Turkey, Qatar, Kuwait, UAE, Saudi Arabia, and Lebanon. In their most recent campaigns, they have leveraged advanced strategies, setting up fake VPN portals, counterfeit websites, and using stolen code signing certificates to give their malware an appearance of authenticity. This not only illustrates their high technical capability, but also underscores the complexity and effectiveness of their operations. These attacks have largely targeted IT and financial institutions, causing significant concerns in these sectors.