Cybersecurity company ESET has revealed that the Iran-linked OilRig group is sending new malware to collect the identity information of its Israeli victims.
OilRig, also known as APT34, Lyceum, or Siamesekitten, is a cyberespionage group that has been active since at least 2014 and is generally thought to be based in Iran. The group includes Middle Eastern governments; It targets various sectors including chemicals, energy, finance and telecommunications.
ESET researchers examined two attacks from the Iran-linked OilRig APT (Advanced Persistent Threat) group. Outer Space from 2021 and Juicy Mix from 2022. Both of these cyberespionage attacks specifically targeted Israeli organizations. This goal confirmed the group's focus on the Middle East, and both used the same methods. OilRig first compromised a legitimate website to use as a C&C server and then delivered undocumented backdoors to its victims, while also distributing post-breach tools used mostly to exfiltrate data from target systems. Specifically, they were used to collect credentials from Windows Credential Manager and major browsers, credentials, cookies, and browsing history.
OilRig exploited the Outer Space attack's SampleCheck5000 (or SC5k), a new downloader that uses a simple, previously undocumented C#/.NET backdoor that ESET Research calls Solar and the Microsoft Office Exchange Web Services API for Command and Control communication. He used . Threat actors developed Solar for the Juicy Mix attack, creating the Mango backdoor with additional capabilities and obfuscation methods. Both backdoors were likely used by VBS distributors, spread via spear phishing emails. In addition to detecting the malicious toolkit, ESET also notified the Israeli CERT about the compromised websites.
ESET named the backdoor Solar, using a naming scheme consisting of astronomy terms in function names and tasks. Another new backdoor he named Mango, based on the internal plot name and file name. The backdoor named Solar has basic functions. It can be used to download and play files, automatically output staged files, among other functions. An Israeli human resources company's web server was used as the Command and Control server during the phase where OilRig compromised Solar's security before deploying it.
OilRig switched from Solar backdoor to Mango for its Juicy Mix campaign. Mango has a similar workflow and overlapping capabilities to Solar, with some significant technical changes. ESET discovered an unused detection evasion technique in Mango.
Zuzana Hromcova, one of the ESET researchers who analyzed OilRig's two attacks, said: “The purpose of this technique is to prevent endpoint security solutions from loading user-mode code hooks via a DLL in the process. "Although the parameter was not used in the example we analyzed, it may be enabled in future versions."