OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details


OilRig hackers (aka Earth Simnavaz, APT34, OilRig) is a cyber espionage group that was linked to “Iranian” interests.

This APT group primarily targets energy, governmental, and critical infrastructure sectors.

SIEM as a Service

Cybersecurity researchers at Trend Micro recently discovered that OilRig hackers have been actively exploiting Microsoft eExchange server to steal login details.

They are primarily targeting the UAE and Gulf regions with advanced cyberattacks. Their sophisticated tactics include deploying a new backdoor targeting Microsoft Exchange servers to steal credentials. 

OilRig Hackers Exploiting Microsoft Exchange Servers

The group’s attack chain begins with uploading a web shell to vulnerable servers that allow RCE and file manipulation.

Analyse Any Suspicious Files With ANY.RUN: Intergarte With You Security Team -> Try for Free 

They then use “ngrok,” a remote monitoring tool for network persistence and lateral movement. 

Earth Simnavaz exploits “CVE-2024-30088” (a Windows Kernel vulnerability) for “privilege escalation” by using the “RunPE-In-Memory” to load malicious code. 

Attack chain (Source – Trend Micro)

Threat actors install a “password filter DLL” to capture credentials and exfiltrate data through compromised Exchange servers. 

According to a Trend Micro report, their toolset includes “custom loaders,” “encrypted payloads,” and “scheduled tasks” for persistence.

The group also makes use of supply chain attacks and has connections to “FOX Kitten” (another APT group that was linked to ransomware campaigns). 

This comprehensive approach shows the evolving capabilities and the persistent threat that Earth Simnavaz poses to “critical infrastructure” and “government systems.”

Their attack methodology involves exploiting “on-premises Exchange servers” to exfiltrate credentials by abusing the dropped “password filter policies,” and utilizing “Remote Monitoring and Management” (RMM) tools like “ngrok.” 

Registering the DLL with the LSA (Source – Trend Micro)

The group deploys malicious DLLs like “psgfilter.dll” to intercept plaintext passwords during the “LSA” validation process. 

They use a custom backdoor called “STEALHOOK” to retrieve stolen credentials and exfiltrate data via email attachments which are often routed through “legitimate government Exchange servers.” 

To maintain persistence the cyber espionage group, ‘⁤Earth Simnavaz’ also use “PowerShell scripts,” “web shells,” and “.NET tools.” ⁤

⁤Their techniques include:- 

  • Manipulating registry keys.
  • Exploiting Exchange Web Services (EWS) API.
  • Employing the ngrok tool to create covert tunnels for C&C communication. ⁤

⁤The primary objectives of the group appear to be “espionage” and “theft” of sensitive governmental information. Not only that, even their malware is primarily designed to blend into normal network activity and “evade detection.” ⁤

How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)



Source link