Report: Iran-Linked Threat Group Spying on Israeli Organizations
ESET’s researchers looked at two specific malicious campaigns by the APT OilRig, which exclusively targeted Israel. The group generally focuses on the larger Middle East
Mandi Kogosowski
| 23/09/2023
REUTERS/Kacper Pempel
Information security company ESET revealed new discoveries about an Iran-linked malicious cyber group, named OilRig. Company researchers analyzed two specific campaigns. The first, named “Outer Space,” was carried out in 2021; the second campaign, “Juicy Mix,” is from 2022.
The two malicious campaigns carried out for cyber espionage purposes were exclusively aimed at Israeli organizations, consistent with the group's focus on the Middle East, said the researchers.
Both campaigns employed similar tactics: OilRig breached a legitimate website and used it as a Command and Control (C&C) server, subsequently exploiting an undisclosed backdoor vulnerability that had not been detected before. They used a variety of attack tools to gather information from the compromised systems, including identity details, computer system login information, cookies, browsing history, and browser passwords.
In the first campaign, known as Outer Space, OilRig used a simple backdoor in C#/.NET, not previously documented, which researchers at ESET called "Solar." It used a system file named SampleCheck5000 (SC5k) to communicate with the C&C server via an API by leveraging Microsoft Exchange servers.
In the second malicious campaign, Juicy Mix, the attacker group improved upon Solar to create a more sophisticated backdoor called "Mango," with additional capabilities and code obfuscation techniques to evade detection. Both backdoors were distributed through VBS scripts, likely delivered via targeted phishing emails.
In addition to identifying and analyzing these malicious toolsets, ESET also informed Israeli cybersecurity authorities about the affected sites.
Solar's basic functionality included the ability to download, extract, and automatically run files. Before using Solar, OilRig had employed an Israeli human resources company's internet server as a C&C server.
In the second campaign, Juicy Mix, the OilRig group transitioned from using the Solar backdoor to the enhanced Mango backdoor. The operation methodology remained similar to Solar, with overlapping capabilities, but ESET detected significant technical changes, such as advanced evasion techniques not used in the previous backdoor.
"The purpose of this technique is to prevent endpoint security solutions from inspecting the actions that the suspicious file performs. Although this parameter was not in use in the sample we analyzed, it might be activated in future versions," explained ESET researcher Zuzana Hromcová, who analyzed both of OilRig's campaigns.
The OilRig group, also known as APT34, Lyceum, or Siamesekitten, is a cyber espionage group that has been active since at least 2014, with its primary operational focus believed to be in Iran. The group primarily targets governments in the Middle East and a wide range of industries, including chemicals, energy, finance, and communications.
ESET’s researchers looked at two specific malicious campaigns by the APT OilRig, which exclusively targeted Israel. The group generally focuses on the larger Middle East
REUTERS/Kacper Pempel
Information security company ESET revealed new discoveries about an Iran-linked malicious cyber group, named OilRig. Company researchers analyzed two specific campaigns. The first, named “Outer Space,” was carried out in 2021; the second campaign, “Juicy Mix,” is from 2022.
The two malicious campaigns carried out for cyber espionage purposes were exclusively aimed at Israeli organizations, consistent with the group's focus on the Middle East, said the researchers.
Both campaigns employed similar tactics: OilRig breached a legitimate website and used it as a Command and Control (C&C) server, subsequently exploiting an undisclosed backdoor vulnerability that had not been detected before. They used a variety of attack tools to gather information from the compromised systems, including identity details, computer system login information, cookies, browsing history, and browser passwords.
In the first campaign, known as Outer Space, OilRig used a simple backdoor in C#/.NET, not previously documented, which researchers at ESET called "Solar." It used a system file named SampleCheck5000 (SC5k) to communicate with the C&C server via an API by leveraging Microsoft Exchange servers.
In the second malicious campaign, Juicy Mix, the attacker group improved upon Solar to create a more sophisticated backdoor called "Mango," with additional capabilities and code obfuscation techniques to evade detection. Both backdoors were distributed through VBS scripts, likely delivered via targeted phishing emails.
In addition to identifying and analyzing these malicious toolsets, ESET also informed Israeli cybersecurity authorities about the affected sites.
Solar's basic functionality included the ability to download, extract, and automatically run files. Before using Solar, OilRig had employed an Israeli human resources company's internet server as a C&C server.
In the second campaign, Juicy Mix, the OilRig group transitioned from using the Solar backdoor to the enhanced Mango backdoor. The operation methodology remained similar to Solar, with overlapping capabilities, but ESET detected significant technical changes, such as advanced evasion techniques not used in the previous backdoor.
"The purpose of this technique is to prevent endpoint security solutions from inspecting the actions that the suspicious file performs. Although this parameter was not in use in the sample we analyzed, it might be activated in future versions," explained ESET researcher Zuzana Hromcová, who analyzed both of OilRig's campaigns.
The OilRig group, also known as APT34, Lyceum, or Siamesekitten, is a cyber espionage group that has been active since at least 2014, with its primary operational focus believed to be in Iran. The group primarily targets governments in the Middle East and a wide range of industries, including chemicals, energy, finance, and communications.
