Threats Feed

The report highlights OilRig’s deployment of tools like Helminth, ISMAgent, ALMACommunicator, BONDUPDATER, and QUADAGENT, which utilize DNS queries to communicate stealthily with C2 servers. This covert communication method is favored due to DNS's typical allowance through security devices. The group has evolved its DNS tunneling protocols over time, using customized subdomains and encoding techniques to transmit data and evade detection effectively.

The adversary group, HELIX KITTEN, is employing spear-phishing attacks and using custom PowerShell implants (Helminth and ISMDoor) to target entities in the aerospace, energy, financial, government, hospitality, and telecommunications sectors. With a special focus on the Middle East, specifically Bahrain and Kuwait, the group manipulates DNS AAAA records for command and control, and exfiltrates data, captures screenshots, and executes arbitrary commands on victims' machines. Furthermore, HELIX KITTEN has begun targeting the telecommunications industry, possibly for bulk data collection and rerouting communications for future intelligence activities.

The OilRig group continued its espionage activities, primarily within the Middle East. Between May and June 2018, they orchestrated multiple attacks using compromised accounts from a Middle Eastern government agency, targeting a technology services provider and another government entity. The group leveraged a PowerShell backdoor called QUADAGENT and employed spear-phishing tactics, obfuscation using the Invoke-Obfuscation toolkit, and PE files to achieve their objectives. They also used stolen credentials and decoy dialog boxes to reduce suspicion and evade detection.

Unit 42 monitored OilRig's testing of the TwoFace webshell, specifically its TwoFace++ variant, to evade detection by security tools. Analysis revealed that OilRig's developers systematically modified the webshell's loader script to reduce detection rates, ultimately achieving zero detection by altering code related to the embedded payload's update functionality. The testing involved decoding and encrypting webshell data and frequent code alterations to pinpoint and circumvent security measures. Additionally, another webshell, named DarkSeaGreenShell, was discovered during these tests.

The OilRig threat group has been utilizing a refined version of the Clayslide delivery document for spear-phishing attacks since May 2016. Recently, they have developed a new custom Trojan named "ALMA Communicator", and incorporated the use of Mimikatz for credential harvesting in the delivery phase of the attack. The targets included an individual at a public utilities company in the Middle East. ALMA Communicator uses DNS tunneling for C2 communication and has some data transfer limitations, which may have prompted the early deployment of Mimikatz.

The Iranian threat agent Greenbug registered domains similar to Israeli high-tech and cybersecurity companies, as well as a Saudi Arabian electrical equipment firm. A sample of the ISMdoor malware was submitted from Iraq on October 15, 2017, indicating the threat actor's activities. Despite these registrations, no evidence of direct targeting or impact on these companies is present. High-tech, cybersecurity, online advertising, airport security systems, web development, behavioral biometrics, artificial intelligence, data security, and autonomous driving are sectors potentially of interest to the actor.

The article "The Curious Case of Mia Ash" by SecureWorks details a sophisticated cyber espionage campaign. This campaign involved a fake online persona named Mia Ash, created by the threat group COBALT GYPSY, which is associated with Iranian cyber operations. Mia Ash was used to establish relationships with employees in targeted organizations, primarily in the Middle East and North Africa. The persona, active across various social media platforms, was instrumental in delivering malware through seemingly innocent interactions. The case underlines the increasing complexity of cyber threats where social engineering and fake identities are employed to breach security systems.

SecureWorks researchers identified a phishing campaign targeting a Middle Eastern organization in January 2017, linked to COBALT GYPSY (Aka OilRig). The attackers employed spear-phishing emails containing shortened URLs redirecting to spoofed domains. Victims were presented with a malicious Microsoft Office document, which executed PowerShell commands when opened, installing PupyRAT, a multi-platform remote access trojan (RAT).