Middle Eastern nations targeted by dangerous "OilRig" malware
Iranian state-sponsored threat actors are actively hunting for passwords
Iranian threat actors are on the hunt for login credentials that can grant them access to organizations and personal systems of people in the United Arab Emirates and the broader Gulf region, experts have warned.
A report from cybersecurity researchers Trend Micro claims a group called OilRig (AKA APT43, or Cobalt Gipsy) has been going after vulnerable servers that they can use to deploy web shells. These, in turn, allow them to run PowerShell and consequently - deploy malware on the servers.
The malware then abuses a vulnerability tracked as CVE-2024-30088 to escalate privileges and allow the crooks to exfiltrate sensitive information. This vulnerability, patched by Microsoft in June 2024, is described as a Windows Kernel Elevation of Privilege flaw and has a base score of 7.0 (high).
Affiliation with ransomware players
The name of the malware used in these attacks is STEALHOOK. It essentially serves as an infostealer, since its goal is to exfiltrate data to a command & control (C2) server, operated by the attackers. What’s interesting about STEALHOOK is that it blends this information with legitimate one, and sends it out via an Exchange server.
BleepingComputer points out that OilRig is a state-sponsored actor, adding the group “remains highly active” in the Middle East region, and that it seems to be affiliated with FOX Kitten, another Iran-based APT group involved in ransomware attacks.
The majority of the targets work in the energy sector, Trend Micro concluded, warning that any disruption to the operation of these firms could impact the wider population greatly.
Despite there being evidence of abuse, the US Cybersecurity and Infrastructure Agency (CISA) is yet to place CVE-2024-30088 on its Known Exploited Vulnerabilities (KEV) catalog.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
More from TechRadar Pro
- Iranian hackers work with ransomware gangs to break into companies via VPN and firewall tools
- Here's a list of the best firewalls today
- These are the best endpoint protection tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.