Iranian Cyberspies Use New Trojan in Middle East Attacks

A cyberespionage group previously linked to Iran has been using a new Trojan in attacks aimed at entities in the Middle East, Palo Alto Networks reported on Monday.
The threat actor, known as OilRig, was recently spotted launching attacks against an organization within the government of the United Arab Emirates (UAE).
When it first discovered the group’s activities back in May 2016, Palo Alto Networks believed the attacks had been carried out by a known group, but researchers later determined that the campaign was actually the work of a new actor, which is now tracked as OilRig.
北碚区科协开展暑期青少年安全教育讲座
OilRig has been known to use a remote access trojan (RAT) named ISMDoor, which researchers also identified in attacks launched by another Iran-linked cyberspy group known as Greenbug.
In attacks seen by Palo Alto Networks in July 2017, OilRig had started using a new piece of malware dubbed “ISMAgent,” which appeared to be a variant of the ISMDoor RAT. In even more recent attacks, observed by experts in August 2017, a new injector Trojan was used by the attackers.
The new malware, tracked as “ISMInjector,” is a tool that has a sophisticated architecture and it includes anti-analysis techniques that were not previously leveraged by this group.
“The complex structure and inclusion of new anti-analysis techniques may suggest that this group is increasing their development efforts in order to evade detection and gain higher efficacy in their attacks,” Palo Alto Networks researchers said in a blog post.

In the attack aimed at the UAE government, hackers delivered their malware using malicious documents attached to emails with the subject line “Important Issue.” What made the emails interesting was the fact that they came from the targeted organization’s own domain. While experts initially believed that the attackers had spoofed the sender, they later determined that they actually used a compromised Outlook Web Access (OWA) account whose credentials they obtained in a previous phishing attack.
一拨又一拨的特大电信诈骗犯罪集团成员被押解回国,真是令人振奋的消息,不过相信像黑社会电影中的一样,小型的诈骗集团会晋级,大佬出狱后也会卷土重来。
The malicious documents sent to the UAE government, tracked by Palo Alto as “ThreeDollars,” delivered the new ISMInjector Trojan, which in turn dropped a variant of the ISMAgent backdoor by injecting it into a remote process it created.
In order to make analysis of ISMInjector more difficult, the malware’s developers have relied on what researchers call “state machines” to create a new process and inject the payload into that process. Each state is responsible for conducting a particular action and it specifies the next state that should be executed.
Since the states are not executed in sequential order, researchers analyzing the malware have to jump around in the code to determine how it works, which makes it more challenging to investigate the threat. Analysis of the malware is further complicated by the use of a crypter.
Iran appears to have several cyber espionage groups, including APT33, Rocket Kitten, Cobalt Gypsy (Magic Hound), Charming Kitten (aka Newscaster and NewsBeef) and CopyKittens.
Related: Attribution Hell – Cyberspies Hacking Other Cyberspies
Related: Iranian Hackers Exploit Recent Office 0-Day in Attacks
Related: Iranian Group Delivers Malware via Fake Oxford University Sites
网络安全、信息安全,最终的目的是保护业务安全,所以信息安全管理人员们,要学习和了解公司的业务流程、审计和内部控制等,方能更好地为公司做出更大的贡献。

猜您喜欢

网络信息安全小曲
防范假冒WiFi热点保护手机支付安全
网络安全法宣传片 002 国家网络安全的现状与重要性概述
RNG.Uzi:硬拿五杀会拖比赛 所以选择直接一波
BOX COOLROM
网络安全公益短片防范移动僵尸网络