27 January 2020

Iran-linked PupyRAT malware spotted in recent attacks on European energy sector


Iran-linked PupyRAT malware spotted in recent attacks on European energy sector

A remote access Trojan (RAT) previously linked to APT groups believed to have ties to Iran has been deployed in recent attacks targeting a key organization in the European energy sector, Recorded Future’s Insikt Group reports.

The malware in question is the PupyRAT backdoor, a written in Python open source cross-platform, multi-function RAT and post-exploitation tool available on Github. The tool has been previously used in campaigns associated with Iranian cyberespionage groups APT33 (Elfin, Magic Hound, HOLMIUM) and COBALT GYPSY (which overlaps with APT34/OilRig) known to have been involved in attacks on the energy sector in the past.

The researchers said they have identified a PupyRAT command and control (C2) server that communicated with a mail server for a European energy sector organization between late November 2019 and at least January 5, 2020. The dates indicate that this campaign has started before the recent escalation of tensions between the United States and Iran.

“While metadata alone does not confirm a compromise, we assess that the high volume and repeated communications from the targeted mail server to a PupyRAT C2 are sufficient to indicate a likely intrusion,” the research team noted in their report.

The researchers have not been able to confirm that the identified C&C server has indeed been  used by either APT33 or COBALT GYPSY.

“Whoever the attacker is, the targeting of a mail server at a high-value critical infrastructure organization could give an adversary access to sensitive information on energy allocation and resourcing in Europe,” Insikt team pointed out.

“The targeting of a key organization in the European energy sector is of particular interest given their role in the coordination of European energy resources. Iranian groups (and others) have targeted a wide variety of industries in the U.S. and Europe, with recent reporting indicating an increase in the targeting of energy sector industrial control software,” the report concludes.


Back to the list

Latest Posts

Hackers probing the Internet for vulnerable Microsoft Exchange servers

Hackers probing the Internet for vulnerable Microsoft Exchange servers

Exchange servers admins are urged to patch their servers before hackers could get to them.
28 February 2020
New Wi-Fi chip bug affects over a billion of devices, including smartphones, tablets, laptops, and IoT gadgets

New Wi-Fi chip bug affects over a billion of devices, including smartphones, tablets, laptops, and IoT gadgets

Devices from Amazon, Apple, Google, and Samsung as well as some access points by Asus and Huawei, are found to be vulnerable to Kr00k.
27 February 2020
‘Cloud Snooper’ operation uses a unique combination of techniques to evade detection

‘Cloud Snooper’ operation uses a unique combination of techniques to evade detection

The attack involves piggybacking C2 traffic on a legitimate traffic, thus allowing to bypass firewalls.
26 February 2020