A highly-active hacking group known for targeting Middle Eastern governments is updating its tools.
OilRig, a hacking group that has been linked by researchers to Iran, has been observed using an updated version of the BONDUPDATER malware to target a Middle Eastern government in spearphishing attacks, according to new research from the U.S. cybersecurity firm Palo Alto Networks.
Researchers offered up a spearphishing message sent to an official from an unspecified government. The email came with a malicious document containing a new version of the BONDUPDATER Trojan. The new version opens up new options for the malware to communicate with command-and-control servers and thereby new ways for the hackers to carry out attacks against targets.
In particular, this update “tunnels” through the Domain Name System (DNS) so that the malware and hacker can communicate through TXT records normally used by the DNS system so that computers can more easily find one another over the internet.
“This particular BONDUPDATER sample includes two different variations of the DNS tunneling protocol, one using DNS A records, and one using DNS TXT records to transmit data from the C2 to the Trojan,” the researchers wrote. “The use of TXT records for C2 communications appears to be a new feature to the BONDUPDATER Trojan.”
Palo Alto Network researchers have been closely tracking OilRig’s movements lately. Earlier this month, researchers found new incursions against Middle Eastern governments and new evasion techniques meant to cut down on the risk of detection.
Within the last year, the same researchers at Palo Alto Networks saw OilRig target Israel, FireEye spotted OilRig targeting Saudi Arabia and other security firms saw the group targeting Qatar. The group is known to use leaked NSA cyberweapons but, as demonstrated by BONDUPDATER, is well-versed in creating and deploying its own custom tools. The group has been active for at least three years.
Iran has become a potent and active cyber power due in large part to the cyber offensive waged against them in the last two decades. Stuxnet and Nitro Zeus, two incidents targeting Iran’s most sensitive vulnerabilities, remain two of the most important events in cybersecurity history — both of which involve the United States and Israel planning and, in the case of Stuxnet, executing cyberattacks against Iran.
Recently, information warfare operations linked to Iran and mass credential-stealing campaigns against global universities show the country is expanding their arsenal and targetbase. Like the rest of the world, including its adversaries, Tehran’s interest and activity in cyberspace is steeply accelerating.