A command and control server used by the Iranian-associate group PupyRAT has been found communicating with the mail server of a European energy sector organization for the last several months.
Recorded Future’s Insikt Group reported PupyRAT, a remote access trojan, had been chatting with the command and control server from November 2019 until about January 5, 2020. The security firm could not solidly confirm through the metadata viewed that PupyRAT had been able to compromise its target, but Insikt Group researchers believe the amount of traffic between the targeted mail server to a PupyRAT C2 are sufficient to indicate a likely intrusion.
PupyRAT is an open-source malware generally used by organizations as a “red team” tool, but Insikt Group noted it has been previously used Iranian groups, including APT33 and Cobalt Gypsy.
“Whoever the attacker is, the targeting of a mail server at a high-value critical infrastructure organization could give an adversary access to sensitive information on energy allocation and resourcing in Europe,” the report said.
The researchers pointed out PupyRAT’s possible intrusion of the mail server predated the recent tensions that have arisen between the United States and Iran indicating the activity is likely part of an on-going cyberespionage campaign aimed at the European energy sector.