The Iran-linked hacking group OilRig was observed using a new backdoor in an attack against a government official within Jordan’s foreign ministry, according to new research published this week.
Active since at least 2014, OilRig is also tracked as APT34, Helix Kitten, and Cobalt Gypsy, and is believed linked to the objectives of the Iranian government. To date, the group was seen targeting entities in the chemical, energy, financial, governmental, and telecommunication industries.
At the end of April 2022, security researchers with Fortinet and Malwarebytes identified a malicious Excel document that the hacking group sent to the Jordanian diplomat, and which was designed to drop a new backdoor called Saitama.
The phishing email allegedly came from an employee withing the IT department, but in fact originated externally. The attack was identified after the recipient forwarded the message to the real IT employee, likely in an attempt to verify its authenticity.
The document contained a macro designed to drop the Saitama backdoor and set persistence for it. The macro also closes the initial Excel sheet and opens a new one that displays the Jordan government's coat of the arms.
According to research notes shared by Fortinet, the macro leverages WMI (Windows Management Instrumentation) to ping its command and control (C&C) server, and has the ability to create three files: malicious PE file, a configuration file, and a legitimate DLL file.
Written in .NET, the Saitama backdoor uses DNS protocol to communicate with the C&C and exfiltrate data, a method stealthier than other communication techniques. Other methods of hiding the malicious packets within legitimate traffic are also used.
Malwarebytes also published a separate report on the backdoor, noting that the entire flow of the program is defined explicitly as a finite-state machine. In short, the machine will change its state depending on the command sent to every state,” Malwarebytes explains.
Identified states include an initial state where it accepts a start command; an alive state where it fetches the C&C server, waiting for commands; a sleep mode; a receive state where commands are accepted from the C&C servers; a ‘do’ state where commands are executed, and a send state where results from the execution of commands are sent to the attackers.
Given that some of the supported commands include internal IPs and internal domain names, Malwarebytes researchers believe the backdoor is highly targeted, and that the threat actor has some previous knowledge about the internal infrastructure of the victim.