Safety researchers from the IB company Eset have revealed that Israeli organizations have been targeted in two separate cyber campaigns organized by the Iranian group, Oilrig. The campaigns, known as “Outer Space” and “Juicy Mix,” involved the use of previous backdoor tools named Solar and Mango, which were utilized to collect sensitive information from web browsers and Windows accounting systems. These backdoors were reportedly distributed via phishing emails using VBS droppers.
Oilrig, also known as Apt34, Cobalt Gypsy, Hazel Sandstorm, and Helix Kitten, is a group linked to the Iranian Intelligence and Security Ministry (Mois). Operating since 2014, the group has utilized various tools in their information theft activities.
The Outer Space campaign, which took place in 2021, involved the compromise of an Israeli staff selection site by Oilrig hackers. They used it as a command and control server for the Solar backdoor, which is written in C#/.Net and capable of downloading and executing files, as well as collecting information. Solar also served as a means to deploy the Samplecheck5000 (SC5K) bootloader, which utilized the Office Exchange Web Services (EWS) API to download additional tools, including MKG, for Chrome browser data exploitation.
- Once on the remote server, SC5K extracts all the letters in the draft directory and sorts them by date, only preserving drafts with investments.
- The loader then searches for JSON data in the body of each draft with an investment, decodes the value, decrypts it, and executes the resulting command line using CMD.exe. The command’s results are processed and sent back to the operators as a new draft message.
The Juicy Mix campaign, conducted in 2022, involved the use of an advanced version of Solar called Mango. Mango possesses additional functions and evasion methods, enabling it to collect confidential information from web browsers and Windows accounting systems. Similar to Solar, Mango utilizes complex communication methods to maintain its covert activities. For their command and control server, the hackers compromised a legitimate Israeli employment portal.