Metal hand holding wires

The Iranian hacking group tracked as OilRig (APT34) breached at least twelve computers belonging to a Middle Eastern government network and maintained access for eight months between February and September 2023.

OilRig is linked to Iran's Ministry of Intelligence and Security (MOIS), known for mounting attacks against the U.S., the Middle East, and Albania.

The attacks observed by Symantec's threat hunter team, part of Broadcom, were used to steal passwords and data, as well as to install a PowerShell backdoor dubbed 'PowerExchange', which accepted commands from execution via Microsoft Exchange.

PowerExchange was first documented in May 2023 in a Fortinet report attributing the backdoor to APT34, with samples retrieved from compromised systems of a government organization in the United Arab Emirates.

In the attacks seen by Symantec, the malware logs into an Exchange Server using the provided credentials and monitors incoming emails for "@@" in the subject line, which indicates the email contains a base64-encoded attachment with commands for execution.

After executing the arbitrary PowerShell commands that typically concern file writing or exfiltration actions, the malware moves the messages to 'Deleted Items' to minimize the likelihood of detection. 

The output of the executed commands is then emailed back to the threat actors.

Exchange as a backdoor in these attacks enables APT34 activities to blend in with typical network traffic and minimize the number of introduced implants.

Other tools used by APT34 in the recent campaign include:

  • Backdoor.Tokel: Executes PowerShell commands and downloads files.
  • Trojan.Dirps: Enumerates files and runs PowerShell commands.
  • Infostealer.Clipog: Steals clipboard data and captures keystrokes.
  • Mimikatz: Credentials dumper.
  • Plink: Command-line tool for PuTTY SSH client.

The attack lasted for nine months

The attacks observed by Symantec began on February 1, 2023, and utilize a wide assortment of malware, tools, and malicious activity that lasted for 8 months.

It started with the introduction of a PowerShell script (joper.ps1), which ran multiple times over the first week.

On February 5, the attackers compromised a second computer in the network and used a masqueraded version of Plink ('mssh.exe') to configure RDP access. On February 21, execution of the 'netstat /an' command was observed on a web server.

In April, OilRigs compromised two more systems, executing unknown batch files ('p2.bat') and deploying Mimikatz to capture credentials.

In June, the hackers executed Backdoor.Tokel and PowerExchange on the breached machines, signifying the start of the main phase of the attack.

The next month, the hackers deployed TrojanDirps and Infostealer.Clipog, and set up SSH tunnels with Plink.

In August, the hackers performed Nessus scans for Log4j vulnerabilities, and by the end of the month, they compromised a second web server, installing Infostealer.Clipog on it.

On September 1, the attacks compromised three more computers, using certutil to download Plink on them and run Wireshark commands on the second webserver to capture network and USB traffic packets.

Two more computers were breached on September 5, executing the Backdoor.Token implant on them.

Activity on the second web server continued until September 9, 2023, with the attackers executing an unknown PowerShell script ('joper.ps1') and performing network shares mounting/unmounting.

Although Symantec says it observed malicious activity in at least 12 computers on the victim's network, they have evidence that backdoors and keyloggers were deployed on dozens more.

In summary, OilRigs utilizes a mix of tools, scripts, and techniques to expand their access and maintain persistence across multiple systems in a compromised network.

Their activities combine reconnaissance (e.g., netstat commands), lateral movement (e.g., Plink for RDP), and data exfiltration/harvesting (e.g., Mimikatz, Infostealer.Clipog), which highlights the threat group's broad-spectrum capabilities.

Symantec concludes that despite OilRigs facing an existential threat in 2019 when its toolset leaked, it is clear from these lengthy attacks that the threat actors remain as active as ever.

Related Articles:

ArcaneDoor hackers exploit Cisco zero-days to breach govt networks

U.S. charges Iranian for hacks on defense orgs, offers $10M for info

US govt sanctions Iranians linked to government cyberattacks

Russian Sandworm hackers pose as hacktivists in water utility breaches

Hackers exploit 14-year-old CMS editor on govt, edu sites for SEO poisoning