Cybersecurity researchers from the IB-company Trend Micro Suppose that the Iranian APT group Oilrig (APT34, Cobalt Gypsy, Europium, and Helix Kitten) continues to attack government organizations in the Middle East as part of the cybersecurity campaign that uses the new backdor to steal data.
The campaign uses legitimate, but compromised email accounts to send stolen data to external postal accounts controlled by attackers.
AILRIG attack chain
To send data, a Backdor based on .NET is used, which is entrusted to deliver 4 different files, including the main implant (“Devicessrv.exe”), which is exploising for certain files.
At the second stage, the DLL-Biblioteum file is used, which collects the accounting data of the domain users and local profiles.
The most noticeable aspect of BECDOR is its exploitation procedure, which includes the use of stolen accounting data for sending emails controlled by attackers Gmail and Proton Mail. Hackers send these emails through the government servers of Exchange using compromised legitimate accounts.
Experts associated this campaign with APT34 due to the similarity of dropper of the first stage and backdore of the Saitama group, Victimology and the use of Internet exchange servers as a communication method, as was observed in case of malicious Karkoff.
According to the researchers, despite the simplicity of the procedure, the novelty of the second and last stages also indicates that this whole procedure can only be a small part of a larger campaign aimed at the government.