Article Details
Scrape Timestamp (UTC): 2023-09-30 09:23:51.761
Source: https://thehackernews.com/2023/09/iranian-apt-group-oilrig-using-new.html
Original Article Text
Click to Toggle View
Iranian APT Group OilRig Using New Menorah Malware for Covert Operations. Sophisticated cyber actors backed by Iran known as OilRig have been linked to a spear-phishing campaign that infects victims with a new strain of malware called Menorah. "The malware was designed for cyberespionage, capable of identifying the machine, reading and uploading files from the machine, and downloading another file or malware," Trend Micro researchers Mohamed Fahmy and Mahmoud Zohdy said in a Friday report. The victimology of the attacks is not immediately known, although the use of decoys indicates at least one of the targets is an organization located in Saudi Arabia. Also tracked under the names APT34, Cobalt Gypsy, Hazel Sandstorm, and Helix Kitten, OilRig is an Iranian advanced persistent threat (APT) group that specializes in covert intelligence gathering operations to infiltrate and maintain access within targeted networks. The revelation builds on recent findings from NSFOCUS, which uncovered an OilRig phishing attack resulting in the deployment of a new variant of SideTwist malware, indicating that it's under continuous development. In the latest infection chain documented by Trend Micro, the lure document is used to create a scheduled task for persistence and drop an executable ("Menorah.exe") that, for its part, establishes contact with a remote server to await further instructions. The command-and-control server is currently inactive. Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity. The .NET malware, an improved version of the original C-based SideTwist implant discovered by Check Point in 2021, is armed with various features to fingerprint the targeted host, list directories and files, upload selected files from the compromised system, execute shell commands, and download files to the system. "The group consistently develops and enhances tools, aiming to reduce security solutions and researchers' detection," the researchers said. "Typical of APT groups, APT34 demonstrates their vast resources and varied skills, and will likely persist in customizing routines and social engineering techniques to use per targeted organization to ensure success in intrusions, stealth, and cyber espionage."
Daily Brief Summary
Iranian-backed Advanced Persistent Threat (APT) group, OilRig, has been linked to spear-phishing campaigns that deliver a new strain of malware named Menorah, designed for cyber espionage.
Trend Micro researchers revealed that the malware can identify the specifications of the infected machine, read and upload the machine's files and download additional malicious files.
It is not immediately clear who the targets of these attacks are, but decoys used indicate that at least one is an organisation based in Saudi Arabia.
OilRig, also known under a variety of other names including APT34 and Cobalt Gypsy, specializes in covert intelligence gathering and maintaining access within targeted networks.
Recent findings suggest that OilRig is continuously developing its capabilities, with a recent phishing attack resulting in the deployment of a new variant of SideTwist malware.
The Menorah malware, which is .NET based, has various capabilities including fingerprinting the targeted host, listing directories and files, uploading selected files from the compromised system, executing shell commands, and downloading files to the system.
Given its resources and varied skill set, APT34 will likely persist in customising routines and social engineering techniques as part of its ongoing cyber espionage operations.