Iran-linked hackers develop new malware downloaders to infect victims in Israel
A cyber-espionage group linked to the Iranian government developed several new malware downloaders over the past two years and has recently been using them to target organizations in Israel.
Researchers at the Slovakia-based company ESET attributed the newly discovered downloaders to the Iranian advanced persistent threat group OilRig, also known as APT34.
Previous reports said the group primarily targeted organizations in the Middle East this year, especially focusing on Israel during its ongoing war with the Palestinian militant group Hamas.
ESET researchers labeled the three new malware downloaders as ODAgent, OilCheck and OilBooster. The hackers also released an updated version of their previous downloader, dubbed SampleCheck5000.
All of them were deployed against Israeli targets, including those in the healthcare sector, a manufacturing company and a local governmental organization, all of which had previously been affected by multiple OilRig tools.
“It underlines the fact that OilRig is persistent in targeting the same organizations, and determined to keep its foothold in compromised networks,” researchers said.
OilRig also is trying to hide its activity by using well-known cloud service providers for command-and-control communication, ESET said.
This strategy allows the malicious downloaders to blend their activity more easily into the regular stream of network traffic, the researchers said. OilRig typically uses the malware to send in other malicious software and exfiltrate files.
The researchers couldn’t identify the initial attack vector used by hackers to compromise Israeli networks. They also couldn’t confirm whether the attackers have been able to successfully compromise the same organizations repeatedly or if they somehow managed to maintain their foothold in the network between deploying various tools.
However, “the continuous development and testing of new variants, experimentation with various cloud services and different programming languages, and the dedication to re-compromise the same targets over and over again, make OilRig a group to watch out for,” says ESET researcher Zuzana Hromcová, in a statement shared with Recorded Future News.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.