May 29, 2016
Researchers from Palo Alto Networks have presented data about a cyber-espionage campaign they named OilRig, targeting Saudi Arabian financial institutions and technology organizations, which appears to have taken aim at the country’s defense industry as well, but at a different time last year.
The most recent waves of attacks were recorded in May 2016 and seem to have ties with a broader campaign targeting a large number of banks across the Middle East, which is using malicious Excel files and on which we reported at the start of last week.
Palo Alto, who analyzed the attacks on Saudi Arabian targets, says the crooks used two different delivery methods to deploy a backdoor named Helminth.
Threat group infected targets with the Helminth backdoor trojan
First, they used the Excel-based method described last week, deploying Excel macros to deliver VBScript and PowerShell scripts, which then downloaded the Helminth backdoor trojan, and moved stolen data masked as DNS requests.
The second distribution method Palo Alto detected included delivering a Windows executable (CHM – compiled HTML file) via email ZIP attachments, which also deployed the Helminth trojan at a later stage.
Both delivery methods had a common theme for the phishing emails, and that was for IT troubleshooting operations.