Researchers from Palo Alto Networks have presented data about a cyber-espionage campaign they named OilRig, targeting Saudi Arabian financial institutions and technology organizations, which appears to have taken aim at the country's defense industry as well, but at a different time last year.
The most recent waves of attacks were recorded in May 2016 and seem to have ties with a broader campaign targeting a large number of banks across the Middle East, which is using malicious Excel files and on which we reported at the start of last week.
Palo Alto, who analyzed the attacks on Saudi Arabian targets, says the crooks used two different delivery methods to deploy a backdoor named Helminth. Threat group infected targets with the Helminth backdoor trojan. First, they used the Excel-based method described last week, deploying Excel macros to deliver VBScript and PowerShell scripts, which then downloaded the Helminth backdoor trojan, and moved stolen data masked as DNS requests.
The second distribution method Palo Alto detected included delivering a Windows executable (CHM - compiled HTML file) via email ZIP attachments, which also deployed the Helminth trojan at a later stage. Both delivery methods had a common theme for the phishing emails, and that was for IT troubleshooting operations.
Palo Alto also says that some of these TTPs (Tactics Techniques & Procedures) were similar to other cyber-attacks against the Saudi Arabian defense industry from the fall of 2015, which they haven't made public until now.
Palo Alto highlights possible ties to Iran
The researchers also say they found clues in Helminth's C&C server infrastructure that led back to individuals based in Iran, who appear to have registered many of the botnet's domains. "Historical WHOIS data reveals additional findings, potentially alluding to an Iranian-based operator," Palo Alto's Robert Falcone and Bryan Lee wrote last week.
"At face value, however, taking into account the registrant information and the use of Persian language in the samples are compelling indicators that the operators may indeed be based out of Iran," the two researchers also noted, addressing worries of the domain data being easily falsified.
110 Reykjavik, Iceland