A well-known hacking group is getting better at evading detection
A well-known hacking group remains highly active with new incursions against Middle Eastern governments, according to a new report from U.S. cybersecurity firm Palo Alto Networks. Additionally, the group is employing evasion techniques meant to cut down on the risk of detection.
The new report focuses on OopsIE, a trojan first tracked earlier this year, being used in spearphishing attacks against a highly targeted a Middle Eastern government agency. The trojan is being used by OilRig, a group that has been linked to Iran.
“The OopsIE variant delivered in this attack begins its execution by performing a series of anti-VM and sandbox checks,” the researchers wrote. “If any of the checks … are successful, the Trojan will exit without running any of its functional code. These evasion techniques are meant to thwart automated analysis in an effort to avoid detection.”
The checks OopsIE runs include ones on vitals like system temperature and CPU fan status to see if the victim is running in a virtual machine or a real one. If it’s real, the attack continues. If it’s virtual, the whole thing shuts down. Checks like these aren’t totally new, but OopsIE’s evasion techniques like the CPU fan check are novel.
The malware will only run on computers configured on a small number of time zones: UTC+2, +3, +3.5 or +4. These are the default Windows times zones for Iran, Saudi Arabia, Yemen, Iraq and Gulf states including Kuwait, Qatar and the United Arab Emirates.
“The fact that the Trojan will not operate on systems that are not configured with these time zones suggests that this is a highly targeted attack focused on a specific subset of target nations,” the researchers wrote.
Iranian-linked hackers are highly active in the Middle East, according to previous reports from Palo Alto Networks and Symantec, but the specific targets are rarely made public.
OilRig has been active for at least three years.
Any mention of Iran’s offensive cyber activity must be accompanied by the facts about Iran being a regular target of advanced hackers from nations like the United States and Israel. The malware known as Stuxnet, first uncovered in 2010, remains one of the most sophisticated and impactful cyberattacks in history. The Obama administration also laid out a plan known as Nitro Zeus, which prepared the battlefield for Iran by spreading malware across the targeted nation.
The region remains a global hot spot. In addition to nascent information warfare operations linked to Iran, hackers targeted global universities to conduct mass credential-stealing campaigns, according to Secureworks, an Atlanta-based cybersecurity company owned by Dell.