What is Earth Simnavaz (aka APT34) and what are their primary targets?

Earth Simnavaz, also known as APT34 and OilRig, is a cyber espionage group that primarily targets organizations in the energy sector, specifically those involved in oil and gas, as well as other critical infrastructure. They are known for their sophisticated tactics, techniques, and procedures (TTPs) used to gain unauthorized access to networks and exfiltrate sensitive information. Recently they have been escalating their attacks specifically against infrastructure in the Middle East region.

How does Earth Simnavaz gain initial access to victim networks?

The initial point of entry is typically through a web shell uploaded to a vulnerable web server. This web shell allows the attackers to execute PowerShell code and download or upload files, thereby establishing a foothold within the targeted network. This access is then used to download other tools such as ngrok for lateral movement and remote control.

How does Earth Simnavaz achieve privilege escalation within the compromised systems?

After gaining initial access, Earth Simnavaz exploits the CVE-2024-30088 vulnerability, which is a Windows Kernel Elevation of Privilege vulnerability. They utilize a custom-built exploit binary loaded into memory via the open-source tool Run PE-In-Memory. This allows them to run arbitrary code in the context of the SYSTEM user, effectively escalating their privileges to gain deeper control of the system.

How do they maintain persistence within compromised systems, and what is their purpose for doing so?

Earth Simnavaz uses multiple methods to maintain persistence. They use a .NET-compiled installer to create a scheduled task, leveraging an xml definition file, to execute a malicious PowerShell script. Additionally, by abusing the password filter policy, they ensure that they can capture and harvest every password from compromised machines, even after the passwords are changed. They also use tools like ngrok to create tunnels to maintain remote access. This persistent access allows them to exfiltrate data, deploy further payloads and launch additional attacks on other targets.

How does Earth Simnavaz exfiltrate the stolen credentials and data?

The group exfiltrates stolen data by leveraging compromised Microsoft Exchange servers. They use stolen domain credentials to access the Exchange server, then attach the stolen passwords as email attachments and route the emails through the legitimate Exchange infrastructure. These emails are sent to mail accounts under the attackers' control, ensuring the data is captured discreetly. The exfiltration tool, known as STEALHOOK, is the key tool for this process.

What is the significance of Earth Simnavaz using ngrok and other remote management tools?

The utilization of ngrok and other RMM tools is significant because they allow Earth Simnavaz to bypass firewalls and network security controls. These tools create secure tunnels between compromised machines and the attackers' servers, allowing for command-and-control communication, data exfiltration, and the deployment of payloads, all while avoiding easy detection. This increases the stealth and effectiveness of their attacks.

How can organizations protect themselves against threats like those posed by Earth Simnavaz?

Organizations should implement a Zero Trust architecture as a core defensive strategy. Other important mitigation strategies include: - Implementing robust SOC, EDR, and MDR (Managed Detection and Response) capabilities. - Deploying comprehensive threat intelligence to identify and respond to emerging threats. - Regularly patching vulnerabilities, specifically those used by Earth Simnavaz. - Monitoring network traffic for unusual activity including use of unusual RMM tools like ngrok. - Employing security solutions that can detect and block malicious code at various stages. - Conduct regular security awareness training for employees to recognize and avoid phishing attacks and other social engineering techniques.

Threats Feed|Earth Simnavaz|Last Updated 25/01/2025|AuthorCertfa Radar|Publish Date11/10/2024

Earth Simnavaz Targets UAE and Persian Gulf Energy Sector with Advanced Cyber Espionage

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Vulnerability Exploitation,Backdoor,Malware
Attack Complexity: Very High
Threat Risk: High Impact/High Probability

Threat Overview

Earth Simnavaz, also known as APT34 or OilRig, has been targeting governmental entities in the UAE and Gulf region, focusing on the energy sector and critical infrastructure. The group uses sophisticated tactics, including the exploitation of Microsoft Exchange servers for credential theft and privilege escalation via CVE-2024-30088. They employ custom .NET tools, PowerShell scripts, and IIS-based malware to avoid detection. Additionally, the attackers utilize ngrok for persistent access and lateral movement, and manipulate password filters to extract plain-text credentials. These credentials are used for supply chain attacks, with a focus on exfiltrating sensitive data through compromised email servers.

Reference and Credit: Trend Micro - October 2024

Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against UAE and Gulf Regions

Detected Targets

Type	Description	Confidence
Sector	Government Agencies and Services	Verified
Region	United Arab Emirates	Verified
Region	Middle East Countries	High

Exploited Vulnerabilities

NIST NVD: CVE-2024-30088

Extracted IOCs

1169d8fe861054d99b10f7a3c87e3bbbd941e585ce932e9e543a2efd701deac2
1d2ff65ac590c8d0dec581f6b6efbf411a2ce5927419da31d50156d8f1e3a4ff
27a0e31ae16cbc6129b4321d25515b9435c35cc2fa1fc748c6f109275bee3d6c
43c83976d9b6d19c63aef8715f7929557e93102ff0271b3539ccf2ef485a01a7
54e8fbae0aa7a279aaedb6d8eec0f95971397fea7fcee6c143772c8ee6e6b498
6d8bdd3e087b266d493074569a85e1173246d1d71ee88eca94266b5802e28112
6e4f237ef084e400b43bc18860d9c781c851012652b558f57527cf61bee1e1ef
7ebbeb2a25da1b09a98e1a373c78486ed2c5a7f2a16eec63e576c99efe0c7a49
98fb12a9625d600535df342551d30b27ed216fed14d9c6f63e8bf677cb730301
a24303234e0cc6f403fca8943e7170c90b69976015b6a84d64a9667810023ed7
abfc8e9b4b02e196af83608d5aaef1771354b32c898852dff532bd8cfd2ce59d
af979580849cc4619b815551842f3265b06497972c61369798135145b82f3cd8
b3257f0c0ef298363f89c7a61ab27a706e9e308c22f1820dc4f02dfa0f68d897
c0189edde8fa030ff4a70492ced24e325847b04dba33821cf637219d0ddff3c9
ca98a24507d62afdb65e7ad7205dfe8cd9ef7d837126a3dfc95a74af873b1dc5
db79c39bc06e55a52741a9170d8007fa93ac712df506632d624a651345d33f91
edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef

download

Tip: 17 related IOCs (0 IP, 0 domain, 0 URL, 0 email, 17 file hash) to this threat have been found.

Overlaps

APT34APT34’s Saitama Agent: Phishing and DNS Tunneling in Jordan

Source: XJunior - June 2022

Detection (one case): 7ebbeb2a25da1b09a98e1a373c78486ed2c5a7f2a16eec63e576c99efe0c7a49

APT34Unveiling APT34’s Advanced Attack Tactics: From Excel Macros to DNS Tunneling

Source: Fortinet - May 2022

Detection (one case): 7ebbeb2a25da1b09a98e1a373c78486ed2c5a7f2a16eec63e576c99efe0c7a49

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

FAQs

Frequently Asked Questions About the Earth Simnavaz Cyber Espionage Campaign:

: Earth Simnavaz, also known as APT34 and OilRig, is a cyber espionage group that primarily targets organizations in the energy sector, specifically those involved in oil and gas, as well as other critical infrastructure. They are known for their sophisticated tactics, techniques, and procedures (TTPs) used to gain unauthorized access to networks and exfiltrate sensitive information. Recently they have been escalating their attacks specifically against infrastructure in the Middle East region.
: Earth Simnavaz employs several advanced techniques, including deploying backdoors that leverage Microsoft Exchange servers for credential theft, exploiting vulnerabilities like CVE-2024-30088 for privilege escalation, and using a combination of customized .NET tools, PowerShell scripts, and IIS-based malware to blend their malicious activity with normal network traffic. They also use a dropped password filter policy to intercept and retrieve credentials from domain users, and utilize remote monitoring and management tools like ngrok to maintain persistent control.
: The initial point of entry is typically through a web shell uploaded to a vulnerable web server. This web shell allows the attackers to execute PowerShell code and download or upload files, thereby establishing a foothold within the targeted network. This access is then used to download other tools such as ngrok for lateral movement and remote control.
: After gaining initial access, Earth Simnavaz exploits the CVE-2024-30088 vulnerability, which is a Windows Kernel Elevation of Privilege vulnerability. They utilize a custom-built exploit binary loaded into memory via the open-source tool Run PE-In-Memory. This allows them to run arbitrary code in the context of the SYSTEM user, effectively escalating their privileges to gain deeper control of the system.
: Earth Simnavaz uses multiple methods to maintain persistence. They use a .NET-compiled installer to create a scheduled task, leveraging an xml definition file, to execute a malicious PowerShell script. Additionally, by abusing the password filter policy, they ensure that they can capture and harvest every password from compromised machines, even after the passwords are changed. They also use tools like ngrok to create tunnels to maintain remote access. This persistent access allows them to exfiltrate data, deploy further payloads and launch additional attacks on other targets.
: The group exfiltrates stolen data by leveraging compromised Microsoft Exchange servers. They use stolen domain credentials to access the Exchange server, then attach the stolen passwords as email attachments and route the emails through the legitimate Exchange infrastructure. These emails are sent to mail accounts under the attackers' control, ensuring the data is captured discreetly. The exfiltration tool, known as STEALHOOK, is the key tool for this process.
: The utilization of ngrok and other RMM tools is significant because they allow Earth Simnavaz to bypass firewalls and network security controls. These tools create secure tunnels between compromised machines and the attackers' servers, allowing for command-and-control communication, data exfiltration, and the deployment of payloads, all while avoiding easy detection. This increases the stealth and effectiveness of their attacks.
: Organizations should implement a Zero Trust architecture as a core defensive strategy. Other important mitigation strategies include:
- Implementing robust SOC, EDR, and MDR (Managed Detection and Response) capabilities.
- Deploying comprehensive threat intelligence to identify and respond to emerging threats.
- Regularly patching vulnerabilities, specifically those used by Earth Simnavaz.
- Monitoring network traffic for unusual activity including use of unusual RMM tools like ngrok.
- Employing security solutions that can detect and block malicious code at various stages.
- Conduct regular security awareness training for employees to recognize and avoid phishing attacks and other social engineering techniques.

About Affiliation

Earth Simnavaz