The Iran-linked cyber-espionage group OilRig has started using three new malware families in campaigns observed over the past month, FireEye reports.
Also referred to as APT34, the hacking group has been active since at least 2014, mainly focused on targeting organizations in the financial, government, energy, telecoms, and chemical sectors in the Middle East.
The newly identified campaign is characterized by the use of both new malware and additional infrastructure, including the abuse of LinkedIn to deliver malicious documents. As part of the attacks, the actor pose as a member of Cambridge University to gain victims’ trust to open malicious documents.
As part of this newly observed activity, which mainly targeted energy and utilities, government, and oil and gas industries, APT34 deployed not only PowerShell-developed malware, but also Golang-based tools. The actor also was used the PICKPOCKET malware once again.
The first of the newly deployed malware is named TONEDEAF, a backdoor that communicates with a command and control (C&C) server using HTTP GET and POST requests. The malware was designed to collect system information, upload and download files, and facilitate arbitrary shell command execution.
The malware was deployed via an .xls file delivered via a LinkedIn message received from someone claiming to work at the University of Cambridge. The spreadsheet created an executable file on the local system and a scheduled task to run it every minute.
The malware would use offlineearthquake[.]com as a potential C&C, and FireEye managed to identify two other malware families that connect to the same domain, namely VALUEVAULT and LONGWATCH. The same server would also host a variant of PICKPOCKET, a browser credential-theft tool.
LONGWATCH, which was found on the C&C under the name of WinNTProgram.exe, is a keylogger that saves all keystrokes to a log.txt file in the Window’s temp folder.
VALUEVAULT, which was identified as b.exe, is a Golang compiled version of the “Windows Vault Password Dumper” browser credential theft tool from Massimiliano Montoro. Similar to the original, it can extract credentials stored in the Windows Vault and also call PowerShell to extract browser history.
PICKPOCKET, which was found on the server in both 64- and 32-bit variants, is a credential theft tool designed to dump the user’s website login credentials from Chrome, Firefox, and Internet Explorer. The tool was previously observed used in a Mandiant incident and has been solely utilized by APT34 to date.
“We suspect this will not be the last time APT34 brings new tools to the table. Threat actors are often reshaping their TTPs to evade detection mechanisms, especially if the target is highly desired. For these reasons, we recommend organizations remain vigilant in their defenses, and remember to view their environment holistically when it comes to information security,” FireEye concludes.