Cyber Security News

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on critical infrastructure in the UAE and wider Gulf region. 

The group employs sophisticated techniques to gain unauthorized access and exfiltrate sensitive data, such as using a new backdoor to steal credentials via on-premises Microsoft Exchange servers by exploiting vulnerabilities like CVE-2024-30088 for privilege escalation and leveraging tools like ngrok for remote monitoring and control. 

Attack chain

It infiltrated networks through a web shell uploaded to a vulnerable web server and exploited a Windows Kernel vulnerability to escalate privileges and register a password filter DLL, which dropped a backdoor that exfiltrated sensitive data via the Exchange server. 

The stolen data was used to conduct supply chain attacks on other government entities. The group’s overlap with FOX Kitten, which has enabled ransomware attacks, indicates a potential for further malicious activity.

Decrypted string

The threat actor initially compromised the target system by uploading a web shell to a vulnerable web server, which, acting as a remote access Trojan, facilitated various malicious activities. 

By extracting and decrypting specific values from HTTP request headers, the attacker could execute PowerShell commands, download files from the infected system, and upload new files to it. 

Outbound responses were encrypted by the web shell as well, using AES encryption and Base64 encoding to ensure that the responses were kept confidential. 

Registering the DLL with the LSA

The attackers initially exploited CVE-2024-30088 to gain SYSTEM privileges and then used a custom loader to execute a privilege escalation tool, which created a persistent task to run a PowerShell script. 

They also abused a password filter DLL to capture plaintext passwords from compromised machines, as the attackers carefully encrypted these passwords before exfiltrating them, demonstrating their efforts to evade detection and maintain persistence in the compromised environment.

The backdoor sending emails

The exfiltration tool STEALHOOK retrieves valid domain credentials from a specific location and uses them to access the Exchange Server for data exfiltration, which steals passwords and transmits them as email attachments, leveraging legitimate accounts to route these emails through government Exchange Servers. 

The backdoor retrieves user credentials and email sending data from specified files, then constructs a message containing the stolen credentials and configuration data, while the email is sent with a specified subject and body, attaching all files in a designated directory.

Downloading ngrok

According to Trend Micro, the Earth Simnavaz threat group has recently upgraded their toolkit to include the RMM tool ngrok, which they use to bypass firewalls and network security controls. 

Ngrok was downloaded onto a server using a PowerShell script and then executed remotely using a WMI command, which was likely used in the later stages of the attack to establish command-and-control communication, exfiltrate data, or deploy payloads. 

Throughout its history, the organization has been known to target governments and countries in the Middle East, and their strategies are similar to those employed by FOX Kitten.”

How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)

Aman Mishra

Recent Posts

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…

10 hours ago

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…

2 days ago

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…

2 days ago

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…

2 days ago

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…

3 days ago

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…

3 days ago