Cybercriminals use unknown malware that uses government mail to collect data.
Cybersecurity researchers at cybersecurity company Trend Micro say Iranian APT group OilRig (APT34, Cobalt Gypsy, Europium, and Helix Kitten) continues to attack government organizations in the Middle East as part of a cyber-espionage campaign that uses a new backdoor to steal data.
The campaign uses legitimate but compromised email accounts to send stolen data to external email accounts controlled by attackers.
To send the data, a .NET based backdoor is used, which is tasked with delivering 4 different files, including the main implant ("DevicesSrv.exe") exfiltrating certain files.
The second step uses a DLL file that collects credentials for domain users and local profiles.
The most notable aspect of the backdoor is its exfiltration procedure, which involves using stolen credentials to send emails to attacker-controlled Gmail and Proton Mail email addresses. The hackers send these emails through the government's Exchange servers using compromised legitimate accounts.
Experts have linked this campaign to APT34 due to the similarity between the droppers of the first stage and the backdoor of the Saitama group, victimology and the use of Internet-facing exchange servers as a communication method, as was observed in the case of the Karkoff malware.
Despite the simplicity of the procedure, the novelty of the second and final phase also indicates that the entire procedure may be just a small part of a larger campaign aimed at governments, the researchers said.