Thursday, May 8, 2025
HomeCVE/vulnerabilityOilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Published on

SIEM as a Service

Follow Us on Google News

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on critical infrastructure in the UAE and wider Gulf region. 

The group employs sophisticated techniques to gain unauthorized access and exfiltrate sensitive data, such as using a new backdoor to steal credentials via on-premises Microsoft Exchange servers by exploiting vulnerabilities like CVE-2024-30088 for privilege escalation and leveraging tools like ngrok for remote monitoring and control. 

Attack chain

It infiltrated networks through a web shell uploaded to a vulnerable web server and exploited a Windows Kernel vulnerability to escalate privileges and register a password filter DLL, which dropped a backdoor that exfiltrated sensitive data via the Exchange server. 

- Advertisement - Google News

The stolen data was used to conduct supply chain attacks on other government entities. The group’s overlap with FOX Kitten, which has enabled ransomware attacks, indicates a potential for further malicious activity.

Decrypted string

The threat actor initially compromised the target system by uploading a web shell to a vulnerable web server, which, acting as a remote access Trojan, facilitated various malicious activities. 

By extracting and decrypting specific values from HTTP request headers, the attacker could execute PowerShell commands, download files from the infected system, and upload new files to it. 

Outbound responses were encrypted by the web shell as well, using AES encryption and Base64 encoding to ensure that the responses were kept confidential. 

Registering the DLL with the LSA

The attackers initially exploited CVE-2024-30088 to gain SYSTEM privileges and then used a custom loader to execute a privilege escalation tool, which created a persistent task to run a PowerShell script. 

They also abused a password filter DLL to capture plaintext passwords from compromised machines, as the attackers carefully encrypted these passwords before exfiltrating them, demonstrating their efforts to evade detection and maintain persistence in the compromised environment.

 The backdoor sending emails

The exfiltration tool STEALHOOK retrieves valid domain credentials from a specific location and uses them to access the Exchange Server for data exfiltration, which steals passwords and transmits them as email attachments, leveraging legitimate accounts to route these emails through government Exchange Servers. 

The backdoor retrieves user credentials and email sending data from specified files, then constructs a message containing the stolen credentials and configuration data, while the email is sent with a specified subject and body, attaching all files in a designated directory.

Downloading ngrok

According to Trend Micro, the Earth Simnavaz threat group has recently upgraded their toolkit to include the RMM tool ngrok, which they use to bypass firewalls and network security controls. 

Ngrok was downloaded onto a server using a PowerShell script and then executed remotely using a WMI command, which was likely used in the later stages of the attack to establish command-and-control communication, exfiltrate data, or deploy payloads. 

Throughout its history, the organization has been known to target governments and countries in the Middle East, and their strategies are similar to those employed by FOX Kitten.”

How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...