Middle Eastern nations targeted by dangerous "OilRig" malware

An abstract image of padlocks overlaying a digital background.
(Image credit: Shutterstock) (Image credit: Shutterstock)

Iranian threat actors are on the hunt for login credentials that can grant them access to organizations and personal systems of people in the United Arab Emirates and the broader Gulf region, experts have warned.

A report from cybersecurity researchers Trend Micro claims a group called OilRig (AKA APT43, or Cobalt Gipsy) has been going after vulnerable servers that they can use to deploy web shells. These, in turn, allow them to run PowerShell and consequently - deploy malware on the servers.

The malware then abuses a vulnerability tracked as CVE-2024-30088 to escalate privileges and allow the crooks to exfiltrate sensitive information. This vulnerability, patched by Microsoft in June 2024, is described as a Windows Kernel Elevation of Privilege flaw and has a base score of 7.0 (high).

Affiliation with ransomware players

The name of the malware used in these attacks is STEALHOOK. It essentially serves as an infostealer, since its goal is to exfiltrate data to a command & control (C2) server, operated by the attackers. What’s interesting about STEALHOOK is that it blends this information with legitimate one, and sends it out via an Exchange server.

BleepingComputer points out that OilRig is a state-sponsored actor, adding the group “remains highly active” in the Middle East region, and that it seems to be affiliated with FOX Kitten, another Iran-based APT group involved in ransomware attacks.

The majority of the targets work in the energy sector, Trend Micro concluded, warning that any disruption to the operation of these firms could impact the wider population greatly.

Despite there being evidence of abuse, the US Cybersecurity and Infrastructure Agency (CISA) is yet to place CVE-2024-30088 on its Known Exploited Vulnerabilities (KEV) catalog.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
Red padlock open on electric circuits network dark red background
Aviation firms hit by devious new polyglot malware
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
China
Chinese hackers develop effective new hacking technique to go after business networks
A person at a laptop with a cybersecure lock symbol floating above it.
Cybercrime gang targets victims with "triple threat" attacks
Russia
Major Russian hacking group shifts focus to US and UK targets
Latest in Security
Data leak
Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Latest in News
A PC gamer celebrating, sat in a gaming chair in front of a monitor
Windows 11’s Game Bar gets a fresh coat of paint, plus a tweak to work better on handhelds – and I like the direction Microsoft’s heading in here
A business woman looking at AI on a transparent screen
Most businesses are now fully embracing AI - but aren't always protected against the risks
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
All three rumored Samsung Galaxy S25 Edge colors shown off in ‘official’ images
Cristiano Ronaldo promotional image for Fatal Fury: City of the Wolves
Yes, Cristiano Ronaldo is a playable character in Fatal Fury: City of the Wolves, and it makes more sense than you think
inZOI.
inZOI early access won't feature Denuvo DRM after all, 'we are committed to making inZOI a highly moddable game'
Buzz Lightyear Space Ranger Spin Rennovations
Disney’s giving a classic Buzz Lightyear ride a tech overhaul – here's everything you need to know