23 July 2019

Iranian hackers abuse LinkedIn to deliver new malware

Iranian hackers abuse LinkedIn to deliver new malware

The Iran-linked cyber-espionage group OilRig also known as APT24, HelixKitten and Greenbug has launched a new phishing campaign aimed at organizations in the energy, oil and gas industry, along with government entities. The campaign was detected in June 2019 by FireEye’s researchers, who said that the group was using LinkedIn to deliver new malware. As part of the attacks the cybercriminals were posing as a researcher from Cambridge University to gain victims’ trust to open malicious documents.

OilRig hacking group is active since at least 2014, mainly focused on targeting organizations in the financial, government, energy, telecoms, and chemical sectors in the Middle East.

According to a recent FireEye’s report, APT34 updated its toolset with three new malware families tracked as TONEDEAF, VALUEVAULT, and LONGWATCH. The first one is a backdoor that collects system information, can upload and download files, and able to execute arbitrary shell commands. The backdoor communicates with a command and control (C&C) server using HTTP GET and POST requests. In the recent campaign the malware was distributed through .xls file delivered via a LinkedIn message received from someone who ostensibly works at Cambridge University. The spreadsheet created an executable file on the local system and a scheduled task to run it every minute. 

Fire Eye also detected three other malware families that connect to the same domain (offlineearthquake[.]com) – VALUEVAULT, LONGWATCH, and a variant of PICKPOCKET, a known browser credential-theft tool previously seen in different APT24’s campaigns. 

VALUEVAULT is a Golang-compiled version of the Windows Vault Password Dumper browser credential theft tool while LONGWATCH is a keylogger that outputs keystrokes to a log.txt file in the Windows temp folder. VALUEVAULT maintains the same functionality as the original tool by allowing the operator to extract and view the credentials stored in the Windows Vault. Additionally, VALUEVAULT will call Windows PowerShell to extract browser history in order to match browser passwords with visited sites. 

“We suspect this will not be the last time APT34 brings new tools to the table. Threat actors are often reshaping their TTPs to evade detection mechanisms, especially if the target is highly desired. For these reasons, we recommend organizations remain vigilant in their defenses, and remember to view their environment holistically when it comes to information security,” concludes the report.

 

 

Back to the list

Latest Posts

New Mirai variant hides its C&Cs in Tor network for anonymity

New Mirai variant hides its C&Cs in Tor network for anonymity

The use of Tor network helps the malware operators to conceal its command and control servers and to avoid detection.
1 August 2019
New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

After infecting an Android mobile device, Filecoder scans the victim's contact list and sends links on ransomware to all the entries in the list.
31 July 2019
Critical flaws in VxWorks RTOS impact over 2 billion devices, including routers, printers and SCADA

Critical flaws in VxWorks RTOS impact over 2 billion devices, including routers, printers and SCADA

URGENT/11 vulnerabilities pose a serious risk as they allow attackers to take over devices with no user interaction required.
30 July 2019
Featured vulnerabilities
Multiple vulnerabilities in FreeBSD
Medium Patched | 21 Aug, 2019
Denial of service in Siemens SCALANCE X Switches
Medium Not Patched | 21 Aug, 2019
Multiple vulnerabilities in Siemens SCALANCE Products
Medium Not Patched | 21 Aug, 2019