27 January 2020

Iran-linked PupyRAT malware spotted in recent attacks on European energy sector


Iran-linked PupyRAT malware spotted in recent attacks on European energy sector

A remote access Trojan (RAT) previously linked to APT groups believed to have ties to Iran has been deployed in recent attacks targeting a key organization in the European energy sector, Recorded Future’s Insikt Group reports.

The malware in question is the PupyRAT backdoor, a written in Python open source cross-platform, multi-function RAT and post-exploitation tool available on Github. The tool has been previously used in campaigns associated with Iranian cyberespionage groups APT33 (Elfin, Magic Hound, HOLMIUM) and COBALT GYPSY (which overlaps with APT34/OilRig) known to have been involved in attacks on the energy sector in the past.

The researchers said they have identified a PupyRAT command and control (C2) server that communicated with a mail server for a European energy sector organization between late November 2019 and at least January 5, 2020. The dates indicate that this campaign has started before the recent escalation of tensions between the United States and Iran.

“While metadata alone does not confirm a compromise, we assess that the high volume and repeated communications from the targeted mail server to a PupyRAT C2 are sufficient to indicate a likely intrusion,” the research team noted in their report.

The researchers have not been able to confirm that the identified C&C server has indeed been  used by either APT33 or COBALT GYPSY.

“Whoever the attacker is, the targeting of a mail server at a high-value critical infrastructure organization could give an adversary access to sensitive information on energy allocation and resourcing in Europe,” Insikt team pointed out.

“The targeting of a key organization in the European energy sector is of particular interest given their role in the coordination of European energy resources. Iranian groups (and others) have targeted a wide variety of industries in the U.S. and Europe, with recent reporting indicating an increase in the targeting of energy sector industrial control software,” the report concludes.


Back to the list

Latest Posts

PayPal customers hit with fraudulent charges via Google Pay

PayPal customers hit with fraudulent charges via Google Pay

It's not clear what vulnerability is being exploited, but the issue may be related to a bug reported to PayPal a year ago.
25 February 2020
Croatia’s largest petrol station chain joins list of victims of ransomware attacks

Croatia’s largest petrol station chain joins list of victims of ransomware attacks

The CLOP ransomware family is suspected to be involved in the attack.
21 February 2020
WordPress ThemeREX plugin flaw is being actively exploited to create rogue admin accounts

WordPress ThemeREX plugin flaw is being actively exploited to create rogue admin accounts

The flaw in the ThemeREX Addons plugin can be used to remotely execute code on websites.
20 February 2020