Iranian threat agent OilRig has been targeting multiple organizations in Israel and other countries in the Middle East since the end of 2015, according to a Clear Sky report. In recent attacks, they set up a fake VPN Web Portal and targeted at least five Israeli IT vendors, several financial institutes, and the Israeli Post Office.
Later, the attackers set up two fake websites pretending to be a University of Oxford conference sign-up page and a job application website. In these websites, they hosted malware that was digitally signed with a valid, likely stolen code signing certificate
Based on VirusTotal uploads, malicious documents content, and known victims – other targeted organizations are located in Turkey, Qatar, Kuwait, United Arab Emirates, Saudi Arabia, and Lebanon.
Infrastructure Overlap with Cadelle and Chafer
In December 2015, Symantec published a post about “two Iran-based attack groups that appear to be connected, Cadelle and Chafer” that “have been using Backdoor.Cadelspy and Backdoor.Remexi to spy on Iranian individuals and Middle Eastern organizations."
Backdoor.Remexi, one of the malware in use by Chafer, had the following command and control host:
Interestingly, IP address 126.96.36.199, which serve as a command and control address for an OilRig related sample (3a5fcba80c1fd685c4b5085d9d474118), was pointed to by 87pqxz159.dockerjsbin[.]com as well.
This suggest that the two groups may actually be the same entity, or that they share resources in one way or another.
For the complete report, visit the Clear Sky blog.