ClearSky Security discovered a new campaign conducted by the Iranian OilRig APT leveraging digitally signed malware and fake University of Oxford domains.
The OilRig hacker group is an Iran-linked APT that has been around since at least 2015.
Researchers at Palo Alto Networks have been monitoring the group for some time and have reported launched against government agencies, financial institutions and technology companies in Saudi Arabia, Israel, the United Arab Emirates, Lebanon, Kuwait and Qatar, the United States, and Turkey.
The name Palo Alto Networks to identify the campaign of this specific threat actor that leveraged on weaponized Microsoft Excel spreadsheets tracked as “Clayslide” and a backdoor called “Helminth.”
Hackers signed the malicious VPN client with a valid code-signing certificate issued by Symantec to a US-based software company called AI Squared. The researchers also discovered a second sample of the Helminth malware signed with another certificate.
“Another Helminth sample, 1c23b3f11f933d98febfd5a92eb5c715, was signed with a different AI Squared code signing certificate:
Serial number:62 E0 44 E7 37 24 61 2D 79 4B 93 AF 97 46 13 48
This suggest that the attackers had got a hold of an AI Squared signing key, potentially after compromising their network. Alternatively, the attackers might have got Symantec to issue them a certificate under AI Squared’s name.” states the analysis.
Researchers also discovered other attacks in which the OilRig group used four domain names apparently belonging to Oxford University (including oxford-symposia[.]com, oxford-careers[.]com, oxford[.]in and oxford-employee[.]com).
In one case the hackers set up a fake Oxford conference registration website, when the victims visited it they were instructed to install a tool allegedly needed for pre-registration that hides a malware. Also in this case, the tool is signed with an AI Squared certificate.
In December 2015, researchers at Symantec detailed the activities of two Iran-based hacker groups, dubbed Cadelle and Chafer, that used the backdoor.Cadelspy and backdoor.Remexi to spy on Iranian individuals and Middle Eastern organizations.
The IP address 18.104.22.168 mentioned in the Symantec report linked to the C&C infrastructure used by the Chafer group is the same used by the OilRig.
“Backdoor.Remexi, one of the malware in use by Chafer, had the following command and control host:
Interestingly, IP address 22.214.171.124, which serve as a command and control address for an OilRig related sample (3a5fcba80c1fd685c4b5085d9d474118), was pointed to by 87pqxz159.dockerjsbin[.]com as well.”