In a recent report, cybersecurity researchers have uncovered a spear-phishing campaign conducted by the sophisticated Iranian-backed hacking group known as OilRig. This campaign is designed to infect victims with a newly discovered strain of malware called Menorah.
The malware possesses the capability to identify target machines, extract and upload files from them, and download additional malicious payloads. While the specific targets of this campaign are not yet disclosed, the use of decoys suggests that at least one of the victims is an organization located in Saudi Arabia.
OilRig, also known as APT34, Cobalt Gypsy, Hazel Sandstorm, and Helix Kitten, is an Iranian advanced persistent threat (APT) group known for its covert intelligence gathering operations. This group specializes in infiltrating and maintaining access within targeted networks to gather sensitive information.
The continuous development of their malware tools, as observed in the deployment of the Menorah malware, underscores their determination to stay ahead of detection.
The Menorah malware, an improved version of the original SideTwist implant discovered in 2021, is coded in .NET and comes equipped with a range of features. These include host fingerprinting, directory and file listing, file uploading from compromised systems, shell command execution, and file downloading to the infected system.
OilRig’s adaptability, vast resources, and evolving techniques make them a persistent and formidable threat in the realm of cyber espionage. Security experts anticipate that the group will continue to customize its tactics and social engineering techniques to ensure successful intrusions and maintain their covert operations.