Carding 4 Carders
Professional
- Messages
- 2,724
- Reaction score
- 1,588
- Points
- 113
Apparently, the Iranian hackers have carefully prepared for a long-term campaign.
An Iranian hacking group known as OilRig (APT34) hacked into at least 12 computers belonging to the Middle East government network and maintained access for 8 months from February to September 2023. OilRig is affiliated with the Iranian Ministry of Intelligence and Security (MOIS) and is known for its attacks on the United States, Middle East countries, and Albania.
As the Symantec team noted, the attacks were aimed at stealing passwords and data, as well as installing a malicious PowerShell module called "PowerExchange", which is managed through Microsoft Exchange. PowerExchange was first detected in May 2023, when hacked systems of a UAE government organization were used to test it.
Symantec detected that the malware was logging in via Exchange Server using the provided credentials, and was monitoring incoming emails with "% %" in the subject line, which indicates the presence of attachments with commands to execute. After executing the commands, malicious code moves messages to "Deleted" to reduce the probability of detection. The results of executed commands are sent back to hackers.
In addition to PowerExchange, APT34 used a number of other tools, such as Backdoor. Tokel, Trojan.Dirps (listing files on the victim's computer and executing PowerShell commands), Infostealer.Clipog (clipboard theft and keylogging), Mimikatz, and Plink. The attacks registered by Symantec began on February 1, 2023. During the attack, a wide range of malware and tools were introduced.
First, a PowerShell script was run (joper. ps1), which was executed several times in the first week. On February 5, hackers broke into a second computer on the network and used a masked version of Plink to configure RDP access. In April, 2 additional computers were infected, running Mimikatz to intercept credentials. In June, the main phase of the attack began, in which Backdoor.Tokel and PowerExchange were launched. Backdoor. Tokel allowed hackers to execute PowerShell commands and download files to infected systems.
In August, hackers searched for Log4j vulnerabilities, and by September, the number of compromised computers reached 15. Symantec claims that the attackers were active on at least 12 computers, but there is evidence of their actions on many others. Despite the threats that the OilRig group faced in 2019 after the leak of their tools, the latest attacks show that hackers remain active.
An Iranian hacking group known as OilRig (APT34) hacked into at least 12 computers belonging to the Middle East government network and maintained access for 8 months from February to September 2023. OilRig is affiliated with the Iranian Ministry of Intelligence and Security (MOIS) and is known for its attacks on the United States, Middle East countries, and Albania.
As the Symantec team noted, the attacks were aimed at stealing passwords and data, as well as installing a malicious PowerShell module called "PowerExchange", which is managed through Microsoft Exchange. PowerExchange was first detected in May 2023, when hacked systems of a UAE government organization were used to test it.
Symantec detected that the malware was logging in via Exchange Server using the provided credentials, and was monitoring incoming emails with "% %" in the subject line, which indicates the presence of attachments with commands to execute. After executing the commands, malicious code moves messages to "Deleted" to reduce the probability of detection. The results of executed commands are sent back to hackers.
In addition to PowerExchange, APT34 used a number of other tools, such as Backdoor. Tokel, Trojan.Dirps (listing files on the victim's computer and executing PowerShell commands), Infostealer.Clipog (clipboard theft and keylogging), Mimikatz, and Plink. The attacks registered by Symantec began on February 1, 2023. During the attack, a wide range of malware and tools were introduced.
First, a PowerShell script was run (joper. ps1), which was executed several times in the first week. On February 5, hackers broke into a second computer on the network and used a masked version of Plink to configure RDP access. In April, 2 additional computers were infected, running Mimikatz to intercept credentials. In June, the main phase of the attack began, in which Backdoor.Tokel and PowerExchange were launched. Backdoor. Tokel allowed hackers to execute PowerShell commands and download files to infected systems.
In August, hackers searched for Log4j vulnerabilities, and by September, the number of compromised computers reached 15. Symantec claims that the attackers were active on at least 12 computers, but there is evidence of their actions on many others. Despite the threats that the OilRig group faced in 2019 after the leak of their tools, the latest attacks show that hackers remain active.
