OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on critical infrastructure in the UAE and wider Gulf region. 

The group employs sophisticated techniques to gain unauthorized access and exfiltrate sensitive data, such as using a new backdoor to steal credentials via on-premises Microsoft Exchange servers by exploiting vulnerabilities like CVE-2024-30088 for privilege escalation and leveraging tools like ngrok for remote monitoring and control. 

It infiltrated networks through a web shell uploaded to a vulnerable web server and exploited a Windows Kernel vulnerability to escalate privileges and register a password filter DLL, which dropped a backdoor that exfiltrated sensitive data via the Exchange server. 

The stolen data was used to conduct supply chain attacks on other government entities. The group’s overlap with FOX Kitten, which has enabled ransomware attacks, indicates a potential for further malicious activity.

The threat actor initially compromised the target system by uploading a web shell to a vulnerable web server, which, acting as a remote access Trojan, facilitated various malicious activities. 

By extracting and decrypting specific values from HTTP request headers, the attacker could execute PowerShell commands, download files from the infected system, and upload new files to it. 

Outbound responses were encrypted by the web shell as well, using AES encryption and Base64 encoding to ensure that the responses were kept confidential. 

The attackers initially exploited CVE-2024-30088 to gain SYSTEM privileges and then used a custom loader to execute a privilege escalation tool, which created a persistent task to run a PowerShell script. 

They also abused a password filter DLL to capture plaintext passwords from compromised machines, as the attackers carefully encrypted these passwords before exfiltrating them, demonstrating their efforts to evade detection and maintain persistence in the compromised environment.

The exfiltration tool STEALHOOK retrieves valid domain credentials from a specific location and uses them to access the Exchange Server for data exfiltration, which steals passwords and transmits them as email attachments, leveraging legitimate accounts to route these emails through government Exchange Servers. 

The backdoor retrieves user credentials and email sending data from specified files, then constructs a message containing the stolen credentials and configuration data, while the email is sent with a specified subject and body, attaching all files in a designated directory.

According to Trend Micro, the Earth Simnavaz threat group has recently upgraded their toolkit to include the RMM tool ngrok, which they use to bypass firewalls and network security controls. 

Ngrok was downloaded onto a server using a PowerShell script and then executed remotely using a WMI command, which was likely used in the later stages of the attack to establish command-and-control communication, exfiltrate data, or deploy payloads. 

Throughout its history, the organization has been known to target governments and countries in the Middle East, and their strategies are similar to those employed by FOX Kitten.”

How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)