Iranian Malware Delivered Via Fake Oxford University Sites

Uploaded on 2017-01-30 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-Iran, FREE TO VIEW

An Iran-linked advanced persistent threat (APT) group dubbed OilRig has used a fake Juniper Networks VPN portal and fake University of Oxford websites to deliver malware to victims.

OilRig has been around since at least 2015 and its campaigns have been analyzed by several researchers, including from FireEye and Palo Alto Networks. The attackers have targeted organisations in Saudi Arabia, Israel, the United States, Turkey, the United Arab Emirates, Lebanon, Kuwait and Qatar, including government agencies, financial institutions and tech companies.

Recent attacks observed by researchers at ClearSky have been aimed at several Israeli organisations, including IT vendors, financial institutions and the country’s national postal service.

In some of the attacks seen by ClearSky, the threat actor set up a fake Juniper Networks VPN portal and used compromised email accounts from IT vendors to lure victims to it. It’s unclear if the malicious actor compromised the affected vendors’ entire networks or just the email accounts they used to send out messages containing links to the fake VPN portal.

Once taken to the fake Juniper website, victims were instructed to install a VPN client, a legitimate piece of software from Juniper Networks bundled with Helminth, a piece of malware known to be used by OilRig.

According to researchers, these files had been signed with a valid code-signing certificate issued by Symantec to a US-based software company called AI Squared. A different Helminth sample found by ClearSky was signed with a different certificate issued to the same company.

“This suggest that the attackers had got a hold of an AI Squared signing key, potentially after compromising their network,” researchers said. “Alternatively, the attackers might have got Symantec to issue them a certificate under AI Squared’s name.”

In other OilRig attacks, the threat group registered four domain names apparently belonging to Oxford University, including oxford-symposia.com, oxford-careers.com, oxford.in and oxford-employee.com.

The first domain mimicked an Oxford conference registration website and instructed visitors to install a tool allegedly needed for pre-registration. The tool, also signed with an AI Squared certificate, prompts users to provide various types of personal information and generates what it claims to be a “pre-registration form.”

Users are then instructed to send the form to an email address hosted on the attackers’ second domain, oxford-careers[.]com. At one point, this domain was linked to oxford[.]in, which had stored some documents, but researchers could not determine what these files contained as they were unavailable during their analysis.

The last fake Oxford domain, oxford-employee.com, hosted a job application website and provided users an “official” Oxford CV creator. The fake CV creator is also a tool created by the attackers.

In a blog post published in October, Palo Alto Networks revealed that OilRig had used an IP address mentioned in 2015 by Symantec in a report describing the activities of two Iran-based threat groups, named Cadelle and Chafer, that appeared to be linked. ClearSky has confirmed that the same IP address has been linked to both OilRig and a piece of malware used by Chafer.

While attribution is often difficult, evidence found by researchers suggests that OilRig is based in Iran, including the use of the Persian language in the malware samples, and information associated with the command and control domains used by the group.

Security Week:      Destructive Cyber Attack On Saudi Kingdom:    The Growing Cyber Threat From Iran:

 

« Cyberwar: How Prepared Is Nepal?
Smart City Technology Is Growing »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

QTS

QTS

QTS Realty Trust, Inc. is a leading provider of secure, compliant data center, hybrid cloud and managed services.

IoTium

IoTium

Secure Cloud Managed Software Defined IoT Networks. IoTium simplifies establishing and managing secure network infrastructure for Industrial IoT.

Commissum

Commissum

Commissum specialise in information assurance and security testing services.

PrivateCore

PrivateCore

We protect data-in-use from hackers trying to steal data such as encryption keys, certificates, intellectual property.

Swedish Board for Accreditation and Conformity Assessment (SWEDAC)

Swedish Board for Accreditation and Conformity Assessment (SWEDAC)

SWEDAC is the national accreditation body for Sweden. The directory of members provides details of organisations offering certification services for ISO 27001.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Ecubel

Ecubel

Ecubel is the market leader in Belgium in buying and selling used IT harware guaranteed by a certified data erasure.

Forum Systems

Forum Systems

Forum Systems is a global leader in API Security Management with industry-certified, patented, and proven products deployed in the most rigorous and demanding customer environments.

Melius CyberSafe

Melius CyberSafe

Melius CyberSafe has developed a world-leading SaaS platform built around continuous assessment and improvement through vulnerability scanning and penetration testing.

BullWall

BullWall

BullWall is a digital innovator dedicated to fight cybercrime in its many forms. Our overarching purpose is to stop new and unknown strings of ransomware attacks in its tracks.

Axellio

Axellio

Axellio provides economic, end-to-end cyber security solutions designed for your team, environment, and security objectives, providing packet level visibility across your network.

HEROIC Cybersecurity

HEROIC Cybersecurity

HEROIC’s enterprise cybersecurity services help improve overall organizational security with industry best practices and advanced technology solutions.

Evervault

Evervault

Evervault provides engineers easy solutions to complex data security and compliance problems.

Smartcomply

Smartcomply

Smartcomply is an automated and AI-powered cybersecurity and compliance platform that aids businesses in reducing the time and money spent on cybersecurity and compliance.

Cyberagentur (Cyber Agency)

Cyberagentur (Cyber Agency)

Cyberagentur is the Federal Agency in Germany for innovation in cybersecurity. Our mission is to advance research and groundbreaking innovations in the field of cybersecurity and related technologies.

GlitchSecure

GlitchSecure

GlitchSecure helps companies secure their products and infrastructure through real-time continuous security testing.