The Iran-linked cyber-espionage group OilRig also known as APT24, HelixKitten and Greenbug has launched a new phishing campaign aimed at organizations in the energy, oil and gas industry, along with government entities. The campaign was detected in June 2019 by FireEye’s researchers, who said that the group was using LinkedIn to deliver new malware. As part of the attacks the cybercriminals were posing as a researcher from Cambridge University to gain victims’ trust to open malicious documents.
OilRig hacking group is active since at least 2014, mainly focused on targeting organizations in the financial, government, energy, telecoms, and chemical sectors in the Middle East.
According to a recent FireEye’s report, APT34 updated its toolset with three new malware families tracked as TONEDEAF, VALUEVAULT, and LONGWATCH. The first one is a backdoor that collects system information, can upload and download files, and able to execute arbitrary shell commands. The backdoor communicates with a command and control (C&C) server using HTTP GET and POST requests. In the recent campaign the malware was distributed through .xls file delivered via a LinkedIn message received from someone who ostensibly works at Cambridge University. The spreadsheet created an executable file on the local system and a scheduled task to run it every minute.
Fire Eye also detected three other malware families that connect to the same domain (offlineearthquake[.]com) – VALUEVAULT, LONGWATCH, and a variant of PICKPOCKET, a known browser credential-theft tool previously seen in different APT24’s campaigns.
VALUEVAULT is a Golang-compiled version of the Windows Vault Password Dumper browser credential theft tool while LONGWATCH is a keylogger that outputs keystrokes to a log.txt file in the Windows temp folder. VALUEVAULT maintains the same functionality as the original tool by allowing the operator to extract and view the credentials stored in the Windows Vault. Additionally, VALUEVAULT will call Windows PowerShell to extract browser history in order to match browser passwords with visited sites.
“We suspect this will not be the last time APT34 brings new tools to the table. Threat actors are often reshaping their TTPs to evade detection mechanisms, especially if the target is highly desired. For these reasons, we recommend organizations remain vigilant in their defenses, and remember to view their environment holistically when it comes to information security,” concludes the report.