A tool for hijacking Microsoft Exchange email accounts allegedly from the arsenal of OilRig APT has been leaked online in a Telegram channel belonging to an individual who goes by the name of Lab Dookhtegan and is responsible for the leak of another six hacking tools on April 2019, which were previously linked by cybersecurity researchers to the OilRig’s operations.
The utility is called Jason and at the moment it is detected by only a few antivirus engines on VirusTotal. According to security expert Omri Segev Moyal from Minerva Labs, the tool is a GUI utility for brute-forcing Microsoft Exchange email servers using pre-compiled lists of username and password combos. It was compiled in 2015, meaning Iranian hackers were using the tool for at least four years in their operations.
However, while the tools leaked in April had been seen in previous OilRig’s campaigns, the Jason is completely new to cybersecurity researchers. At the moment of writing only three antivirus solutions on VirusTotal are able to detect this threat.
OilRig, also known as APT34 and HelixKitten, is a group linked to the Iranian government and is believed to be composed of members of the Iranian Ministry of Intelligence (MOIS). The group is active since at least 2014 and has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications with the focus on the operations within Middle East.
Currently there are seven tools associated with the OilRig group that are publicly available:
- 2 PowerShell-based backdoors: Poison Frog and Glimpse - both are versions of a tool called BondUpdater, according to Palo Alto Networks;
- 4 web shells: HyperShell and HighShell, Fox Panel, and Webmask (the DNSpionage tool);
- Jason email hijacking tool for Microsoft Exchange accounts.