Middle Eastern nations targeted by dangerous “OilRig” malware
Iranian state-sponsored threat actors are actively hunting for passwords
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Iranian threat actors are on the hunt forlogin credentialsthat can grant them access to organizations and personal systems of people in the United Arab Emirates and the broader Gulf region, experts have warned.
A report from cybersecurity researchersTrend Microclaims a group called OilRig (AKA APT43, or Cobalt Gipsy) has been going after vulnerable servers that they can use to deploy web shells. These, in turn, allow them to run PowerShell and consequently - deploymalwareon the servers.
The malware then abuses a vulnerability tracked asCVE-2024-30088to escalate privileges and allow the crooks to exfiltrate sensitive information. This vulnerability, patched byMicrosoftin June 2024, is described as a Windows Kernel Elevation of Privilege flaw and has a base score of 7.0 (high).
Affiliation with ransomware players
The name of the malware used in these attacks is STEALHOOK. It essentially serves as an infostealer, since its goal is to exfiltrate data to a command & control (C2) server, operated by the attackers. What’s interesting about STEALHOOK is that it blends this information with legitimate one, and sends it out via an Exchange server.
BleepingComputerpoints out that OilRig is a state-sponsored actor, adding the group “remains highly active” in the Middle East region, and that it seems to be affiliated with FOX Kitten, another Iran-based APT group involved in ransomware attacks.
The majority of the targets work in the energy sector, Trend Micro concluded, warning that any disruption to the operation of these firms could impact the wider population greatly.
Despite there being evidence of abuse, the US Cybersecurity and Infrastructure Agency (CISA) is yet to place CVE-2024-30088 on its Known Exploited Vulnerabilities (KEV) catalog.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
More from TechRadar Pro
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics
