Iranian Malware Delivered Via Fake Oxford University Sites

An Iran-linked advanced persistent threat (APT) group dubbed OilRig has used a fake Juniper Networks VPN portal and fake University of Oxford websites to deliver malware to victims.

OilRig has been around since at least 2015 and its campaigns have been analyzed by several researchers, including from FireEye and Palo Alto Networks. The attackers have targeted organisations in Saudi Arabia, Israel, the United States, Turkey, the United Arab Emirates, Lebanon, Kuwait and Qatar, including government agencies, financial institutions and tech companies.

Recent attacks observed by researchers at ClearSky have been aimed at several Israeli organisations, including IT vendors, financial institutions and the country’s national postal service.

In some of the attacks seen by ClearSky, the threat actor set up a fake Juniper Networks VPN portal and used compromised email accounts from IT vendors to lure victims to it. It’s unclear if the malicious actor compromised the affected vendors’ entire networks or just the email accounts they used to send out messages containing links to the fake VPN portal.

Once taken to the fake Juniper website, victims were instructed to install a VPN client, a legitimate piece of software from Juniper Networks bundled with Helminth, a piece of malware known to be used by OilRig.

According to researchers, these files had been signed with a valid code-signing certificate issued by Symantec to a US-based software company called AI Squared. A different Helminth sample found by ClearSky was signed with a different certificate issued to the same company.

“This suggest that the attackers had got a hold of an AI Squared signing key, potentially after compromising their network,” researchers said. “Alternatively, the attackers might have got Symantec to issue them a certificate under AI Squared’s name.”

In other OilRig attacks, the threat group registered four domain names apparently belonging to Oxford University, including oxford-symposia.com, oxford-careers.com, oxford.in and oxford-employee.com.

The first domain mimicked an Oxford conference registration website and instructed visitors to install a tool allegedly needed for pre-registration. The tool, also signed with an AI Squared certificate, prompts users to provide various types of personal information and generates what it claims to be a “pre-registration form.”

Users are then instructed to send the form to an email address hosted on the attackers’ second domain, oxford-careers[.]com. At one point, this domain was linked to oxford[.]in, which had stored some documents, but researchers could not determine what these files contained as they were unavailable during their analysis.

The last fake Oxford domain, oxford-employee.com, hosted a job application website and provided users an “official” Oxford CV creator. The fake CV creator is also a tool created by the attackers.

In a blog post published in October, Palo Alto Networks revealed that OilRig had used an IP address mentioned in 2015 by Symantec in a report describing the activities of two Iran-based threat groups, named Cadelle and Chafer, that appeared to be linked. ClearSky has confirmed that the same IP address has been linked to both OilRig and a piece of malware used by Chafer.

While attribution is often difficult, evidence found by researchers suggests that OilRig is based in Iran, including the use of the Persian language in the malware samples, and information associated with the command and control domains used by the group.

Security Week:      Destructive Cyber Attack On Saudi Kingdom:    The Growing Cyber Threat From Iran:

 

« Cyberwar: How Prepared Is Nepal?
Smart City Technology Is Growing »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

ProfitBricks

ProfitBricks

ProfitBricks is a secure cloud computing infrastructure-as-a-service (IaaS) solution.

Cyber Security Centre - University of Hertfordshire

Cyber Security Centre - University of Hertfordshire

The Cyber Security Centre provides training, teaching and research in the fast paced topics of cyber security and digital forensics.

Proofpoint

Proofpoint

Proofpoint provide the most effective cybersecurity and compliance solutions to protect people on every channel including email, the web, the cloud, social media and mobile messaging.

IPCopper

IPCopper

IPCopper specializes in network packet capture appliances for cybersecurity, cybersurveillance and network monitoring, and encrypted data storage.

Lynxspring

Lynxspring

Lynxspring provides edge-to-enterprise solutions and IoT technology for intelligent buildings, energy management, equipment control and specialty machine-to-machine applications.

Iceberg

Iceberg

Since 2016, Iceberg has redefined how businesses approach hiring in the Cybersecurity and eDiscovery space.

Data443 Risk Mitigation

Data443 Risk Mitigation

Data443 Risk Mitigation provides next-generation cybersecurity products and services in the area of data security and compliance.

Blockchain R&D Hub

Blockchain R&D Hub

Blockchain R&D Hub's mission is to serve the needs of blockchain ecosystem as the center of excellence for technology research and development.

Salient Law

Salient Law

Salient Law is a virtual law firm that specialises in advising providers and users of technology on contracts involving technology.

Spin Technology

Spin Technology

SpinOne is a SaaS data protection platform designed to monitor, secure, and back up your G Suite and O365 data, improve compliance, and reduce IT costs.

Swiss It Security Group

Swiss It Security Group

Swiss It Security Group offers clients complete IT security concepts based on innovative solutions and technology, with a focus on protection, detection and defence.

Anonos

Anonos

Anonos is a global software company that provides the only technology capable of protecting data in use with 100% accuracy, even in untrusted environments.

Quantum Security Services

Quantum Security Services

Quantum Security Services is a specialist information security firm providing a range of risk, compliance and technical security services.

Ark Technology Consultants

Ark Technology Consultants

Ark Technology Consultants is a unique IT Services Firm which blends technology solutions with consultative insight around governance and process management.

UFS Technology

UFS Technology

UFS, the bank technology outfitter for community banks, provides purpose-built, bank-exclusive technology services and solutions including cybersecurity.

CertX

CertX

CertX is a Swiss functional safety, cybersecurity and artificial intelligence certification body.