Iran-linked Threat Group Targets Government Organizations

By Joseph Lorenz on October 7, 2016


An Iran-linked threat group who has been observed attacking organizations in Saudi Arabia has improved it’s malware tools and has expanded its target list to consist of other countries. Palo Alto network researchers reported observing attacks that were launched by a threat actor against financial institutions and technology companies in Saudi Arabia in May 2016.

The campaign which has been named OilRig has consisted of weaponized Microsoft Excel spreadsheets that are being tracked as “Clayside” documents and are combined with a backdoor that is dubbed “Helminth”. Other attacks that were aimed at banks in May have also been documented by FireEye researchers. According to researchers at Palo Alto Networks based on the analysis of the group’s activities, it has also targeted a company in Qatar and government agencies in the United States, Israel, and Turkey. The threat actor behind OilRig is using spear-phishing attacks and uses malicious macro-based Excel documents to deliver the backdoor Helminth. There are two types of Helminth, one which relies on VBScripts and PowerShell scripts, and the other which is distributed as an executable file. The executable file is delivered by a trojan named “HerHer” and has the capability of logging keystrokes.

Researchers have found numerous clues and indicators that point to an Iran-based actor, although they admit that the data can be easily forged. On of these indicators is Persian language being used in the malware samples and information associated with the C&C domains. Palo Alto Networks also discovered an IP address that has been mentioned by another security company Symantec last year. In that report, it describes the activities of two Iran-based threat groups dubbed Cadelle and Chafer that appear to be linked to these recent events.