Security researchers have uncovered a highly specialized political espionage campaign carried out by cybercriminals of Iranian origin against a Jordanian diplomat. The objective was to steal sensitive data from the victim’s computer, using advanced techniques to evade detection by security systems and real-time monitoring.
The malicious campaign discovered by Fortinet was associated with the Oilrig group, also known as APT34, and involved tools created especially for this operation. This is the greatest demonstration, among many, of highly specialized and planned work, with probable political connections and a high potential for success.
The scam started with a fraudulent email, on behalf of a fellow Jordanian government server, that loaded an Excel file with malicious macros. The sender, of course, was defrauded with spoofing techniques, as a way of hiding the real box of origin, while opening the spreadsheet-generated executable and configuration files also aimed at establishing permanence on the infected computer.
An unusual feature cited by Fortinet is that the email was sent at dawn, while the malware was programmed to lie dormant for eight hours before taking action. It would be a way to ensure that the victim would open the message in the morning, but with the spying operation, it would only happen after hours, at a time when the machine was left unattended by the user and security administrators.
At the appointed time, communication of the customized pest began with control servers, created with brand names such as AstraZeneca, HSBC, and Cisco to evade detection. The malware is also capable of creating a DNS tunnel to send and receive instructions, with encrypted data that also makes it difficult to identify malicious traffic and receive commands that perform the spying tasks.
Finally, the data is removed, also through a tunnel protected by encryption, in order to avoid identification and interception. The stream is also hidden as if it were logs of network activity, common information exchanged between computers and servers for monitoring purposes, further increasing the pest’s already great ability to remain hidden.
Fortinet also points to the gang’s care in creating software that leaves as few traces as possible. This is also a common characteristic of the Oilrig, a cybercriminal group that was once linked to the Iranian government but has sporadic actions, precisely as a way of hiding its method of action and also the analysis tools themselves such as the one published by a security company.
The indications are of a successful data extraction and espionage operation, but the victim’s name, of course, was not released. Experts have also revealed indicators of compromise and other technical information that aid in pest monitoring in case other attacks may be underway.
Source: Fortinet