A highly-active hacking group known for targetingMiddle Eastern governments is updating its tools.
OilRig, a hacking groupthat has been linked by researchers to Iran, has been observed usingan updated version of the BONDUPDATER malware to target a Middle Eastern government in spearphishing attacks, according to new research from the U.S. cybersecurity firm Palo Alto Networks.
Researchers offered up a spearphishing message sent to an official from an unspecified government. The email came with amalicious document containinga new version of the BONDUPDATER Trojan. The new version opens up new options for the malware to communicate with command-and-control servers and thereby new ways for the hackers to carry out attacks against targets.
In particular, this update “tunnels” throughthe Domain Name System ( DNS ) so that the malware and hacker can communicate through TXT records normally used by the DNS system so that computers can more easily find one another over the internet.
“This particular BONDUPDATER sample includes two different variations of the DNS tunneling protocol, one using DNS A records, and one using DNS TXT records to transmit data from the C2 to the Trojan,” the researchers wrote. “The use of TXT records for C2 communications appears to be a new feature to the BONDUPDATER Trojan.”
Palo Alto Network researchers have been closely tracking OilRig’s movements lately. Earlier this month, researchers foundnew incursions against Middle Eastern governments and newevasion techniques meant to cut down on the risk of detection.
Within the last year, the same researchers at Palo Alto Networks saw OilRig targetIsrael, FireEye spotted OilRigtargetingSaudi Arabia and other security firmssawthe group targeting Qatar. The group is known to useleakedNSA cyberweapons but, as demonstrated by BONDUPDATER, is well-versed in creating and deploying its own custom tools. The group has been active for at least three years.
Iran has become a potent and active cyber power due in large part to the cyber offensive waged against them in the last two decades.Stuxnetand Nitro Zeus , two incidents targeting Iran’s most sensitive vulnerabilities, remain two of the most important events in cybersecurity history ― both of which involve the United States and Israel planning and, in the case of Stuxnet, executing cyberattacks against Iran.
Recently, information warfare operations linked to Iran and mass credential-stealing campaigns against global universities show the country is expanding their arsenal and targetbase. Like the rest of the world, including its adversaries, Tehran’s interest and activity in cyberspace is steeply accelerating.