OilRig is back with another Phishing Email attack, delivering the Saitama Backdoor
For a detailed advisory, download the pdf file here
An Iranian cyber espionage gang known as OilRig has began delivering malicious email to a Jordanian government employee at the foreign ministry. The email includes a malicious Excel sheet that installs the Saitama backdoor. Since at least 2014, the Iranian threat group has targeted Middle Eastern nations and victims across the world. The firm is noted for concentrating on the financial, governmental, energy, chemical, and telecommunications industries.
Threat actors send a malicious email, with the subject “Confirmation Receive Document” and an Excel file named “Confirmation Receive Document.xls,” sent to the victim via a Microsoft Outlook account. The excel sheet also delivers a payload with a small backdoor written in .Net known as Saitama Backdoor. The DNS protocol is used by the Saitama backdoor for command-and-control connections. In addition, the actor makes clever use of compression and extended random sleep durations. They used these techniques to hide harmful traffic among legal traffic.
The MITRE ATT&CK TTPs commonly used by OilRig are:
TA0001: Initial Access
TA0002: Exécution
TA0005: Defense Evasion
TA0003: Persistence
TA0011: Command and Control
T1059.001: PowerShell
T1059.003: Windows Command Shell
T1053.005: Scheduled Task
T1204.002: Malicious File
T1047: Windows Management Instrumentation
T1480: Execution Guardrails
T1087.001: Local Account
T1083: File and Directory Discovery
T1049: System Network Connections Discovery
T1071.004: DNS
T1132.002: Non-Standard Encoding
T1568.002: Domain Generation Algorithms
T1041: Exfiltration Over C2 Channel
Actors Details
Indicators of Compromise (IoCs)
References
What’s new on HivePro
Get through updates and upcoming events, and more directly in your inbox