The Iran-linked cyber-espionage group OilRig has started using three new malware families in campaigns observed over the past month, FireEye reports.
Also referred to as APT34, the hacking group has been active since at least 2014, mainly focused on targeting organizations in the financial, government, energy, telecoms, and chemical sectors in the Middle East.
The newly identified campaign is characterized by the use of both new malware and additional infrastructure, including the abuse of LinkedIn to deliver malicious documents. As part of the attacks, the actor pose as a member of Cambridge University to gain victims’ trust to open malicious documents.
As part of this newly observed activity, which mainly targeted energy and utilities, government, and oil and gas industries, APT34 deployed not only PowerShell-developed malware, but also Golang-based tools. The actor also was used the PICKPOCKET malware once again.
The first of the newly deployed malware is named TONEDEAF, a backdoor that communicates with a command and control (C&C) server using HTTP GET and POST requests. The malware was designed to collect system information, upload and download files, and facilitate arbitrary shell command execution.
The malware was deployed via an .xls file delivered via a LinkedIn message received from someone claiming to work at the University of Cambridge. The spreadsheet created an executable file on the local system and a scheduled task to run it every minute.
The malware would use offlineearthquake[.]com as a potential C&C, and FireEye managed to identify two other malware families that connect to the same domain, namely VALUEVAULT and LONGWATCH. The same server would also host a varian ..
Support the originator by clicking the read the rest link below.
