Attacks recently identified to target a key organization in the European energy sector have employed a remote access Trojan (RAT) previously associated with Iran-linked threat actors, Recorded Future reports.
Dubbed PupyRAT, the backdoor is an open source piece of malware available on GitHub. Mainly written in Python, the threat is advertised as cross-platform, with support for various functions for post-exploitation.
The malware, Recorded Future’s security researchers explain, was previously used by several Iranian hacking groups, including APT33 (also known as Elfin, Magic Hound and HOLMIUM) and COBALT GYPSY, which overlaps with APT34/OilRig.
These two groups have been known to target energy sectors in the United States, Europe, and elsewhere, and Iranian hackers were previously observed making heavy use of freely available commodity malware such as PupyRAT, Recorded Future notes.
The researchers were able to identify a PupyRAT command and control (C&C) server that communicated with a mail server for a European energy sector organization between November 2019 and at least January 5, 2020.
“While metadata alone does not confirm a compromise, we assess that the high volume and repeated communications from the targeted mail server to a PupyRAT C&C are sufficient to indicate a likely intrusion,” Recorded Future explains.
What the security researchers could not confirm was that the identified C&C server was indeed being used by either APT33 or COBALT GYPSY. The intrusion predates the recent escalation of activity between the U.S. and Iran.
However, the attack is of particular interest, given the organization’s role in the coordination of European energy resources, especially amid an increase in Iranian-linked activity targeting energy sector industrial control software.
“Whoever the attacker is, the targeting of a mail server at a high-value critical infrastructure organization could give an adversary access to sensitive information on energy allocation and resourcing in Europe,” the cyber-security company points out.
To stay protected from PupyRAT and similar commodity backdoors, organizations should monitor for sequential login attempts from the same IP against different accounts, employ multi-factor authentication, use a password manager and set strong, unique passwords.
Moreover, Recorded Future recommends that organizations analyze and cross-reference log data for lockouts, remote access attempts, attack overlaps across multiple accounts, and other possible signs of intrusion.
Related: Iranian APT33 Hackers Use Special Botnets for High-Value Targets in U.S.
Related: Researchers Analyze Tools Used by 'Hexane' Attackers Against Industrial Firms

