Sunday, January 26, 2025
Homecyber securityIran Hacking Group Used Open Source Multi-platform PupyRAT to Attack Energy Sector...

Iran Hacking Group Used Open Source Multi-platform PupyRAT to Attack Energy Sector Organization

Published on

SIEM as a Service

Follow Us on Google News

PupyRAT is a cross-platform (Windows, Linux, OSX, Android) is a remote administration and post-exploitation tool.

It was written in python, acts as a backdoor, allows an attacker to create remote command shells, steal password credentials, log keystrokes, steal files, and to record webcams.

The tool is intended for using red-team purposes, but the Iranian hacking groups APT33 (Elfin, Magic Hound, HOLMIUM) and COBALT GYPSY (which overlaps with APT34/OilRig), made heavy use of the tool.

Shifted focus on Attack Energy Sector Organization

These groups are known for targeting IT sectors in the United States, Europe, and elsewhere, now they have to target the physical control systems in electric utilities, manufacturing, and oil refineries.

Security researchers from Recorded Future observed a European energy sector organization Email server communicating with the PupyRAT command and control (C2) server between late November 2019 until at least January 5, 2020.

They further analyze the metadata which confirms the compromise, “we assess that the high volume and repeated communications from the targeted mail server to a PupyRAT C2 are sufficient to indicate a likely intrusion.”

Researchers are unable to confirm which Iranian hacking group used PupyRAT to attack the mail server of the high-value critical infrastructure organization.

Iranian groups know for targeting a wide range of industries in the U.S. and Europe, this recent attack shows the increasing rate of attacks targeting energy sector industrial control software.

Last year North Korean Hackers Attack Indian Nuclear Power Plant [KKNPP] Using Dtrack Malware and they have managed to compromise domain controller.

The Dtrack malware designed to spy on the victim machines, it extracts sensitive data from victim machines.

Mitigation Suggested

  • Monitor for login attempts
  • Enable multi-factor authentication
  • Use of password manager
  • Analyzing connection log data

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

Beware of Fake Captcha Verifications Spreading Lumma Malware

In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA...