OilRig – WindowsTechs.com

Fake job listings help suspected Iranian hackers aim at targets in Lebanon

Posted on April 8, 2021 by Shannon Vavra

Suspected Iranian hackers have zeroed-in on a target in Lebanon, according to Check Point research published Thursday. Researchers caught attackers sending an unidentified Lebanese target documents that purported to contain details about job opportunities. If accessed in certain ways, those documents would deploy malware against victims. One such document imitated Ntiva IT, a consulting firm based in Virginia, Check Point said. In order to be infected, targets would have needed to enable macros on the documents, triggering a process that launches malware every five minutes. The hackers, which Check Point suspects belong to a hacking group known as APT34 or OilRig, have been using a new backdoor to access their targets, according to the researchers. APT34, which researchers say has been operating since 2014, is believed to frequently rely on decoy job opportunities to trap targets in their campaigns. The group used LinkedIn in 2019 to go after espionage targets […]

The post Fake job listings help suspected Iranian hackers aim at targets in Lebanon appeared first on CyberScoop.

Continue reading Fake job listings help suspected Iranian hackers aim at targets in Lebanon→

OilRig APT Drills into Malware Innovation with Unique Backdoor

Posted on July 22, 2020 by Tara Seals

The RDAT tool uses email as a C2 channel, with attachments that hide data and commands inside images. Continue reading OilRig APT Drills into Malware Innovation with Unique Backdoor→

Iran-Backed APTs Collaborate on 3-Year ‘Fox Kitten’ Global Spy Campaign

Posted on February 18, 2020 by Tara Seals

APT34/OilRig and APT33/Elfin have established a highly developed and persistent infrastructure that could be converted to distribute destructive wiper malware. Continue reading Iran-Backed APTs Collaborate on 3-Year ‘Fox Kitten’ Global Spy Campaign→

Poison Frog Malware Samples Reveal OilRig’s Sloppiness

Posted on December 17, 2019 by David Bisson

An analysis of a new backdoor called “Poison Frog” revealed that the OilRig threat group was sloppy in its development of the malware. Kaspersky Lab came across Poison Frog while scanning its archives using its YARA rule to hunt for new and… Continue reading Poison Frog Malware Samples Reveal OilRig’s Sloppiness→

Iran Targets Mideast Oil with ZeroCleare Wiper Malware

Posted on December 4, 2019 by Tara Seals

Likely the work of APT34, ZeroCleare is bent on destruction and disruption, rather than information-stealing. Continue reading Iran Targets Mideast Oil with ZeroCleare Wiper Malware→

Russian hackers have been mooching off existing OilRig infrastructure

Posted on October 21, 2019 by Shannon Vavra

Russian-linked hackers known as the Turla group have been piggybacking on Iranian hackers’ tools and infrastructure for years now to run their own attacks, according to a joint announcement Monday from the National Security Agency and the U.K.’s National Cyber Security Centre. A two-year long investigation revealed that the Turla group, which has been linked to Russian intelligence, scanned for the presence of Iranian-built backdoors, then used them to try gaining a foothold in victim networks in at least 35 countries, largely in the Middle East, according to the NSA. This announcement again demonstrates how hackers will use other attackers’ techniques, creating the false impression that one espionage group is behind an operation when, in fact, it’s another. “Turla acquired access to Iranian tools and the ability to identify and exploit them to further their own aims,” the NCSC’s Director of Operations, Paul Chichester, said in a statement. Turla would run its own cyber-espionage operations using […]

The post Russian hackers have been mooching off existing OilRig infrastructure appeared first on CyberScoop.

Continue reading Russian hackers have been mooching off existing OilRig infrastructure→

Yet another hacking group is targeting oil and gas companies, Dragos says

Posted on August 1, 2019 by Sean Lyngaas

A previously undocumented hacking group has been targeting oil and gas companies along with telecommunications providers from Africa to Central Asia to the Middle East, the industrial cybersecurity company Dragos said Thursday. The revelation brings to five the number of groups tracked by Dragos that go after the oil and gas sector, highlighting the growing interest shown by well-resourced hackers in probing the industrial control systems (ICS) that underpin energy infrastructure. Oil and gas companies move markets and are strategic national assets, giving cyber operatives plenty of reason to scope them out. The new hacking group, which Dragos calls Hexane, has been particularly active in recent months, targeting organizations with phishing lures and malware implants. “It’s definitely stage-one activity with the intent to intrude,” Casey Brooks, senior adversary hunter at Dragos, told CyberScoop. “Whether they were successful or not, we can’t comment on that.” The far-flung activity underscores the interest that ICS-focused […]

The post Yet another hacking group is targeting oil and gas companies, Dragos says appeared first on CyberScoop.

Continue reading Yet another hacking group is targeting oil and gas companies, Dragos says→

Iran-Linked APT34 Invites Victims to LinkedIn for Fresh Malware Infections

Posted on July 19, 2019 by Tara Seals

The group was posing as a researcher from Cambridge, and was found to have added three new malware families to its spy arsenal. Continue reading Iran-Linked APT34 Invites Victims to LinkedIn for Fresh Malware Infections→

What happens when one APT hijacks another’s infrastructure

Posted on June 20, 2019 by Sean Lyngaas

Like any group of spies or soldiers, state-sponsored hacking groups are acutely interested in what their peers are using. Servers, domains and other digital tools can be contested resources just like others in in espionage or warfare. And there’s no guarantee that any group can keep a tight grip on its own internet infrastructure. In documenting how Turla, a Russia-linked outfit, hijacked the server of OilRig, a group associated with Iran, new research from Symantec shows what that overlap looks like in action. “This is the first time Symantec has observed one actor hijack another’s infrastructure,” said Alexandrea Berninger, senior cyber intelligence analyst at Symantec. “Although we don’t expect this to become a common tactic, we do expect to see deceptive operations like this amongst the most capable threat actor groups.” The apparently hostile takeover took place in January 2018, when a computer in a Middle Eastern government organization downloaded a variant of the […]

The post What happens when one APT hijacks another’s infrastructure appeared first on CyberScoop.

Continue reading What happens when one APT hijacks another’s infrastructure→

How companies – and the hackers themselves – could respond to the OilRig leak

Posted on April 18, 2019 by Sean Lyngaas

In the last few weeks, hacking tools apparently used by a prolific Iran-linked group have been publicly leaked, exposing the hackers’ malicious code, the IP addresses of their servers, and their alleged victims. An unknown person or group began dumping the information last month via Telegram, and has since doxed alleged members of the group known to the cybersecurity community as OilRig, APT34, or Helix Kitten. Whoever is behind the Telegram channel claimed to expose the “names of the cruel managers” behind OilRig, and pointed the finger at the Iranian intelligence ministry. While the ties of those individuals to OilRig has not been confirmed, a remote-access trojan and other tools, which have since been posted to GitHub, are authentic and employed by the group, researchers tell CyberScoop. They have been used in a series of hacking campaigns in recent years that industry analysts say align with the interests of the […]

The post How companies – and the hackers themselves – could respond to the OilRig leak appeared first on CyberScoop.

Continue reading How companies – and the hackers themselves – could respond to the OilRig leak→