OilRig, an Iran-linked group, has launched a sophisticated attack on Iraqi government networks using new malware to steal data and control systems via fake emails.
OilRig, also known as APT34 or Crambus, has carried out a series of attacks on Iraqi government institutions, including the Prime Minister’s Office and the Ministry of Foreign Affairs. The attack involved using malicious files disguised as safe documents to launch new families of malware called Veaty and Spearal. These programs were able to execute PowerShell commands and collect and transfer sensitive files to attackers’ servers. The main method of managing attacks is the use of electronic mailboxes captured from victim organizations.
OilRig has been active since 2014, focusing on the Middle East. The group regularly uses phishing attacks to distribute custom backdoors, including Karkoff, PowerExchange, and others. This campaign highlights the evolution of cyber threats, including the use of new malware and sophisticated command and control mechanisms such as DNS tunneling and emails.
The OilRig attack on Iraq demonstrates the ongoing threat from Iranian cyber groups. The Iranians continue to improve their methods, including the use of new channels of command and control, requiring government agencies to further improve their cyber security.