Iranian Hackers Escalate Cyber Espionage Campaign Targeting UAE and Gulf Region

The Iranian state-sponsored hacking group known as APT34, also called OilRig or Earth Simnavaz, has recently intensified its cyber espionage activities, targeting government and critical infrastructure entities in the United Arab Emirates and the broader Gulf region.

This escalation involves sophisticated tactics and the exploitation of newly discovered vulnerabilities, demonstrating the group’s evolving capabilities and persistent threat to regional security.

Attack Methodology

OilRig’s latest attack chain begins with the exploitation of vulnerable web servers to upload web shells, granting them remote code execution capabilities. From this initial foothold, the attackers deploy additional tools and malware to further compromise the target systems.

Privilege Escalation

A key component of OilRig’s recent attacks is the exploitation of CVE-2024-30088, a high-severity Windows kernel vulnerability patched by Microsoft in June 2024. This flaw allows the attackers to elevate their privileges to SYSTEM level, providing significant control over compromised devices.

Credential Theft

The hackers have implemented a novel tactic involving the abuse of on-premises Microsoft Exchange servers. They deploy a new backdoor called “StealHook” to intercept and exfiltrate credentials, often routing the stolen data through legitimate government email infrastructure to avoid detection. StealHook represents an evolution of OilRig’s malware arsenal, showing code similarities to previously used backdoors like Karkoff. This new tool is specifically designed to capture stolen passwords and transmit them to the attackers as email attachments.

The group has also been observed deploying a malicious password filter DLL (psgfilter.dll) to extract plaintext credentials from domain users and local accounts. This technique allows them to capture sensitive login information during password change events.

Targets and Objectives

OilRig’s primary targets in this campaign appear to be government entities and organizations in the energy sector across the UAE and Gulf region. The focus on critical infrastructure raises concerns about potential operational disruptions that could have widespread impacts.

Connection to FOX Kitten

Trend Micro researchers have identified a potential link between OilRig and another Iran-based APT group known as FOX Kitten. This connection is particularly worrying due to FOX Kitten’s involvement in ransomware attacks, suggesting a possible expansion of OilRig’s capabilities to include more destructive operations.

Conclusion

The recent activities of OilRig highlight the persistent and evolving threat posed by state-sponsored hacking groups. Their focus on exploiting newly discovered vulnerabilities and developing sophisticated malware underscores the need for organizations, especially those in critical sectors, to maintain robust cybersecurity measures and stay current with security updates.