The Iranian state-sponsored hacking group APT34, also known as OilRig, has intensified its cyber operations with a series of sophisticated attacks targeting government entities and critical infrastructure in the United Arab Emirates and the wider Gulf region. The new campaigns involve novel backdoors and the exploitation of both web server vulnerabilities and a recent Windows flaw, according to researchers from Trend Micro.
In its latest campaign, OilRig, which Trend Micro tracks as Earth Simnavaz, targeted Microsoft Exchange servers, exploiting the Windows privilege escalation flaw (CVE-2024-30088) to steal credentials and exfiltrate sensitive data. The flaw allows attackers to gain elevated access to compromised systems, potentially escalating privileges to the SYSTEM level. The issue was patched by Microsoft in June 2024, but it appears that OilRig is leveraging a proof-of-concept exploit to gain control over target devices.
According to Trend Micro's analysis, the attacks begin with the threat actor uploading a malicious web shell to a vulnerable server. The web shell enables the group to execute remote code and PowerShell commands on the compromised server.
Once the foothold is established, the attackers deploy additional tools to exploit the CVE-2024-30088 flaw, allowing them to elevate privileges and move laterally within the network.
OilRig's tactics also include the registration of a password filter DLL, which intercepts plaintext credentials during password change events. The group then installs the remote monitoring and management tool called 'ngrok' to establish secure, stealthy communication tunnels for exfiltrating data and maintaining persistent access.
“The primary function of the exfiltration tool (identified by Trend Micro as STEALHOOK) involves retrieving valid domain credentials from a specific location, which it then uses to access the Exchange Server for data exfiltration. The key objective of this stage is to capture the stolen passwords and transmit them to the attackers as email attachments. Additionally, we observed that the threat actors leverage legitimate accounts with stolen passwords to route these emails through government Exchange Servers,” the report notes.
Trend Micro researchers have also identified links between OilRig and another Iran-based state-sponsored threat actor tracked by cybersecurity experts as FOX Kitten, also previously observed using ngrok.