Iranian Cyber Group OilRig Targets Iraqi Government in Sophisticated Malware Attack

Iranian Cyber Group OilRig Targets Iraqi Government in Sophisticated Malware Attack

September 12, 2024 at 07:18AM

Iranian state-sponsored threat actor OilRig targeted Iraqi government networks in a sophisticated cyber attack. The group, also known as APT34, employed a range of custom backdoors and a new set of malware families in the campaign. The attacks involved unique command-and-control mechanisms and aimed to execute PowerShell commands and harvest sensitive files. This highlights the deliberate efforts of Iranian actors to develop specialized command-and-control mechanisms.

Based on the meeting notes, here are the key takeaways:

– The Iraqi government networks were targeted by an extensive cyber attack orchestrated by an Iran state-sponsored threat actor known as OilRig.
– The attacks were aimed at Iraqi organizations such as the Prime Minister’s Office and the Ministry of Foreign Affairs.
– OilRig, also referred to as APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm, and Helix Kitten, is a cyber group associated with the Iranian Ministry of Intelligence and Security (MOIS).
– The attack involved the use of new malware families named Veaty and Spearal, which have capabilities to execute PowerShell commands and harvest files.
– Unique command-and-control (C2) mechanisms, including a custom DNS tunneling protocol and a tailor-made email-based C2 channel, were employed in this targeted campaign.
– The attack chain was initiated through deceptive files masquerading as benign documents, which then deployed Veaty and Spearal. Social engineering was likely involved in the infection pathway.
– The Spearal and Veaty malwares were found to use different methods for C2 communications with the end goal of downloading files and executing commands.
– The campaign also featured a different XML configuration file associated with a third SSH tunneling backdoor, as well as an HTTP-based backdoor targeting Microsoft’s Internet Information Services (IIS) servers.

The report underscores the sustained and focused efforts of Iranian threat actors in the region, particularly emphasizing the deliberate development and maintenance of specialized command-and-control mechanisms.

If you need further analysis or details on any specific aspect of the meeting notes, feel free to ask!

Full Article