During the annual Cyber Security Weekend 2023 for the Middle East, Turkiye and Africa which was recently held in Almaty, Kazakhstan Kaspersky researchers announced the discovery of a series of attacks by a new malware supposedly developed by the infamous OilRig Advanced Persistent Threat (APT) group that has been active in the Middle East and Turkiye for over a decade. The group is known for targeting high-profile government entities across the Middle East, Turkiye and Africa for cyberespionage purposes.
The OilRig APT commonly uses social engineering tactics, exploits software and technical vulnerabilities within its victims. However, Kaspersky experts noticed the group has updated their arsenal, resorting to persistent, stealthier ways of infiltrating their targets through third-party IT companies.
During an ongoing investigation that started in late 2022, Kaspersky experts discovered that the APT group has executed PowerShell scripts to gain access to terminal servers at IT companies in the region to collect credentials and sensitive data about their targets. The group used the stolen information to infiltrate their targets and deploy malware samples that relied on Microsoft Exchange Web Services to perform Command & Control (C2) communications, and steal data. The investigated malware appeared to be a variant of an older malware used by the threat actor.
To ensure persistent stealthy access, the group deployed a new DLL-based password filter, which enabled them to intercept local/domain password changes. This allowed the attackers to receive updated passwords along with other stolen and sensitive data sent from their targets’ email services to attacker-controlled Protonmail and Gmail addresses.
“OilRig has taken the meaning of “stealth mode” to the next level with its complex and heavily modified tactics, techniques, and procedures to exploit third-party IT companies. It is evident from our investigation that third-party attacks are stealthier, agile and remain undetected in comparison to other tactics, posing a grave risk to the functioning of government entities in this region. The radical shift to infiltrate IT companies that are part of a supply chain is an indication that regional government entities are stepping up their cybersecurity game, driving APT groups to think out of the box” said Maher Yamout, Senior Security Researcher at Kaspersky.