The Iranian state-sponsored hacking group APT34, also known as OilRig, has intensified its operations, launching new campaigns aimed at government and critical infrastructure sectors within the United Arab Emirates and the broader Gulf region. This escalation has been closely monitored by researchers at Trend Micro, who have identified a series of sophisticated tactics employed by the group.
Latest OilRig attack chain
The attack sequences initiated by OilRig typically commence with the exploitation of vulnerable web servers, allowing the group to upload a web shell. This web shell serves as a gateway for executing remote code and PowerShell commands, effectively granting the attackers a foothold within the compromised systems.
Once the web shell is operational, OilRig capitalizes on it to deploy additional malicious tools, including a component specifically designed to exploit the Windows CVE-2024-30088 vulnerability. This high-severity flaw, which Microsoft addressed in June 2024, enables attackers to escalate their privileges to the SYSTEM level, thereby gaining extensive control over the affected devices.
While Microsoft has acknowledged the existence of a proof-of-concept exploit for CVE-2024-30088, it has yet to classify the vulnerability as actively exploited on its security portal. Similarly, the Cybersecurity and Infrastructure Security Agency (CISA) has not included it in its Known Exploited Vulnerability catalog.
Following the initial breach, OilRig registers a password filter DLL, allowing them to intercept plaintext credentials during password change events. The group then downloads and installs ‘ngrok,’ a remote monitoring and management tool that facilitates covert communications through secure tunnels.
In a notable shift in tactics, OilRig has begun exploiting on-premise Microsoft Exchange servers to pilfer credentials and exfiltrate sensitive data through legitimate email traffic, making detection significantly more challenging.
Source: Trend Micro
The exfiltration process is powered by a new backdoor dubbed ‘StealHook.’ According to Trend Micro, government infrastructure often serves as a pivot point, lending an air of legitimacy to the attackers’ operations. “The key objective of this stage is to capture the stolen passwords and transmit them to the attackers as email attachments,” the report states. “Additionally, we observed that the threat actors leverage legitimate accounts with stolen passwords to route these emails through government Exchange Servers.”
Source: Trend Micro
Trend Micro has noted that there are code similarities between StealHook and previous backdoors used by OilRig, such as Karkoff, suggesting that the latest malware represents an evolutionary advancement rather than a completely new creation. Furthermore, this is not the first instance of OilRig utilizing Microsoft Exchange servers as a critical component of their attacks; nearly a year ago, Symantec reported that APT34 had installed a PowerShell backdoor named ‘PowerExchange’ on on-premise Exchange servers, which was capable of receiving and executing commands via email.
The group’s continued activity in the Middle East raises concerns, particularly regarding its potential affiliation with FOX Kitten, another Iran-based APT group known for ransomware attacks. While the nature of this connection remains unclear, it poses a significant risk of integrating ransomware into OilRig’s operational framework. Given that many of the targeted entities are situated within the energy sector, any operational disruptions could have far-reaching consequences for a large number of individuals.
