Application security, Threat Intelligence, Malware, Phishing

Iranian cyber activity on the rise with Leafminer, OilRig leading the way


Iran has once again found itself in the crosshairs of cybersecurity researchers with Palo Alto Networks Unit 42, Symantec and German intelligence all pointing accusatory fingers at Tehran over several recently revealed cyber campaigns.

Unit 42 researchers have singled out the well-known OilRig group (aka PT34, Helix Kitten) for launching multiple attacks between May and June 2018. Unit 42 said the activity involved three waves of attacks, all using a single spear phishing email designed to look as if it came from a Middle Eastern government agency.

“Based on our telemetry, we have high confidence the email account used to launch this attack was compromised by the OilRig group, likely via credential theft,” Unit 42 wrote. Palo Alto Networks has previously connected OilRig to Iran.

In this case, the attackers went after an unnamed technology services provider and a separate government entity, also not named. OilRig executed a high-level of obfuscation, making it appear as if the malicious email came from the same country that was being attacked, but Unit 42 has determined the attack originated from another country, most likely using stolen credentials.

The attack involved delivering the QUADAGENT PowerShell backdoor, a tool that is also attributed to OilRig by FireEye and ClearSky Cyber Security, Unit 42 said.

The attackers behind the spear phishing campaign put in a great deal of effort to find their target's email address, as the email addresses were not easily discoverable via common search engines. To the researchers, this indicated the targets were likely part of a previously collected target list, or possibly known associates of the compromised account used to send the attack emails.

In each case, the deliverable was a portable executable file that when downloaded inserts the backdoor, builds in persistence, contacts its command-and-control server and then runs silently.

In related news, researchers at Symantec have found a new espionage campaign named Leafminer -- also apparently based out of Iran -- that has so far hit a long list of governments and businesses around the Middle East, including Iran, Saudi Arabia, Egypt, Israel and Pakistan.

“Leafminer is a highly active group, responsible for targeting a range of organizations across the Middle East. The group appears to be based in Iran and seems to be eager to learn from and capitalize on tools and techniques used by more advanced threat actors,” Symantec wrote.

Symantec strung together several pieces of evidence to place Leafminer in Iran. A list of 809 targets was uncovered written in Farsi and in June a server was found hosting 112 files that could be accessed through a web shell planted by the attackers.

“The web shell is a modification of the PhpSpy backdoor and references the author MagicCoder while linking to the (deleted) domain Researching the hacker handle MagicCoder results in references to the Iranian hacking forum Ashiyane as well as defacements by the Iranian hacker group Sun Army,” Symantec wrote.

Saudi Arabia, a major enemy of Iran, has been hit the most times with 28 systems being infected. Lebanon is next with eight followed by Israel and Kuwait. The targets include the Lebanese intelligence agency and healthcare facilities in Saudi Arabia.

The initial infection paths used have been watering hole attacks using compromised web servers, finding and exploiting known vulnerabilities in the target's networks, and dictionary attacks. Symantec noted the group behind the campaign has also used phishing with malicious attachments as an attack vector.

The server in question was found to contain the Fuzzbunch framework that was part of the April 2017 Shadow Brokers leak and for which Leafminer has developed specific payloads to exploit the EternalBlue vulnerability.

Overall, Symantec found Leafminer to use readily available tools and exploits and to have the ability to create is own proprietary malware that it can use in conjunction with these better-known tools, but this led researchers to also believe the group may still be in its infancy.

“Leafminer's eagerness to learn from others suggests some inexperience on the part of the attackers, a conclusion that's supported by the group's poor operational security,” Symantec wrote.

While Germany was not mentioned as a target by either Symantec or Unit 42, Horst Seehofer, that nation's interior minister, has stated Iran has been increasing attacks against his country, according to Reuters.

This information was provided in a report that stated Iranian attacks have been on the upswing since 2014, with a sharp increase last year. He also noted the number of attacks from China has dropped recently as that nation has acquired more German firms.

Seehofer brought up the idea of being able to act proactively to potential future attacks from Iran and others and that Germany may have to change its laws in order to allow for this time of action.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.