A remote access Trojan (RAT) previously linked to APT groups believed to have ties to Iran has been deployed in recent attacks targeting a key organization in the European energy sector, Recorded Future’s Insikt Group reports.
The malware in question is the PupyRAT backdoor, a written in Python open source cross-platform, multi-function RAT and post-exploitation tool available on Github. The tool has been previously used in campaigns associated with Iranian cyberespionage groups APT33 (Elfin, Magic Hound, HOLMIUM) and COBALT GYPSY (which overlaps with APT34/OilRig) known to have been involved in attacks on the energy sector in the past.
The researchers said they have identified a PupyRAT command and control (C2) server that communicated with a mail server for a European energy sector organization between late November 2019 and at least January 5, 2020. The dates indicate that this campaign has started before the recent escalation of tensions between the United States and Iran.
“While metadata alone does not confirm a compromise, we assess that the high volume and repeated communications from the targeted mail server to a PupyRAT C2 are sufficient to indicate a likely intrusion,” the research team noted in their report.
The researchers have not been able to confirm that the identified C&C server has indeed been used by either APT33 or COBALT GYPSY.
“Whoever the attacker is, the targeting of a mail server at a high-value critical infrastructure organization could give an adversary access to sensitive information on energy allocation and resourcing in Europe,” Insikt team pointed out.
“The targeting of a key organization in the European energy sector is of particular interest given their role in the coordination of European energy resources. Iranian groups (and others) have targeted a wide variety of industries in the U.S. and Europe, with recent reporting indicating an increase in the targeting of energy sector industrial control software,” the report concludes.