The Iranian state-sponsored hacking outfit APT34, dubbed OilRig, has recently escalated its activity by launching new campaigns against government and vital infrastructure entities in the United Arab Emirates and the Gulf area.
OilRig employed a new backdoor to target Microsoft Exchange servers and steal passwords, as well as exploiting the Windows CVE-2024-30088 vulnerabilities to escalate their privileges on affected devices, according to Trend Micro researchers.
In addition to the activity, FOX Kitten, another Iran-based APT outfit involved in ransomware attacks, and OilRig have been linked by Trend Micro.
The attacks observed by Trend Micro start with the exploitation of an unprotected web server to upload a web shell, enabling the hackers to execute remote code and PowerShell commands. Once the web shell is activated, OilRig uses it to launch additional tools, including a component that exploits the Windows CVE-2024-30088 bug.
CVE-2024-30088 is a high-severity privilege escalation vulnerability that Microsoft patched in June 2024, allowing attackers to elevate their privileges to the SYSTEM level and gain significant control over the compromised devices.
Microsoft has identified a proof-of-concept exploit for CVE-2024-30088, although it hasn't yet disclosed on its security portal that the vulnerability is being actively exploited. Furthermore, CISA has not listed it as having been previously exploited in its catalogue of known exploited vulnerabilities.
Following a password change event, OilRig downloads and installs 'ngrok,' a remote monitoring and management application that enables covert communications via secure tunnels. This allows the tool to intercept plaintext credentials.
The use of on-premise Microsoft Exchange servers by threat actors as a means of credential theft and sensitive data exfiltration through fake, difficult-to-identify email traffic is another novel strategy.
The exfiltration is accomplished using a new backdoor known as 'StealHook,' and Trend Micro claims that government infrastructure is frequently employed as a pivot point to make the operation appear authentic.
"The key objective of this stage is to capture the stolen passwords and transmit them to the attackers as email attachments," notes Trend Micro in the report. "Additionally, we observed that the threat actors leverage legitimate accounts with stolen passwords to route these emails through government Exchange Servers.”