Rewterz Threat Alert – New Menorah Malware Distributed by Iran-Backed APT Group OilRig – Active IOCs

Severity

High

Analysis Summary

An advanced cyber threat actor group of Iranian origin called OilRig (aka APT34, Helix Kitten, Cobalt Gypsy, and Hazel Sandstorm) has been linked to the latest strain of Menorah malware, which is being distributed by spear-phishing.

“The malware was designed for cyberespionage, capable of identifying the machine, reading and uploading files from the machine, and downloading another file or malware,” the researchers reported.

OilRig is an Iranian state-backed advanced persistent threat (APT) group that specializes in conducting cyberespionage to gather intelligence in order to infiltrate and maintain long term access of the victim networks.

This discovery builds upon recent findings by cybersecurity experts, which revealed an OilRig phishing attack resulting in the deployment of a new variant of SideTwist malware, indicating ongoing development efforts.

In the most recent infection chain detailed by researchers, a lure document is used to create a scheduled task for persistence and to drop an executable file called “Menorah.exe.” This executable establishes contact with a remote server to await further instructions, although the command-and-control server is currently inactive.

Menorah is a .NET-based malware, an improved version of the original C-based SideTwist implant. It comes equipped with various features, including the ability to fingerprint the targeted host, list directories and files, upload selected files from the compromised system, execute shell commands, and download files to the compromised system.

The researchers note that OilRig consistently develops and enhances its tools with the aim of evading security solutions and detection by researchers. They also emphasize that APT34 demonstrates a high level of resources and diverse skills, making it likely that they will continue to customize their tactics, routines, and social engineering techniques for specific targeted organizations to ensure success in intrusions, maintaining stealth, and conducting cyber espionage.

“Typical of APT groups, APT34 demonstrates their vast resources and varied skills, and will likely persist in customizing routines and social engineering techniques to use per targeted organization to ensure success in intrusions, stealth, and cyber espionage. The earlier variant of SideTwist is written in C, and this latest variant has a very similar set of functions but in a .NET implementation”, they conclude

Impact

• Espionage
• Sensitive Information Theft

Indicators of Compromise

URL

http://tecforsc-001-site1.gtempurl.com/ads.asp

MD5

• 64f8dfd92eb972483feaf3137ec06d3c
• 868da692036e86a2dc87ca551ad61dd5

SHA-256

• 8a8a7a506fd57bde314ce6154f2484f280049f2bda504d43704b9ad412d5d618
• 64156f9ca51951a9bf91b5b74073d31c16873ca60492c25895c1f0f074787345

SHA-1

• 3d71d782b95f13ee69e96bcf73ee279a00eae5db
• c9d18d01e1ec96be952a9d7bd78f6bbb4dd2aa2a

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Maintain daily backups of all computer networks and servers.
• Keep all software, operating systems, and applications up to date with the latest security patches.
• Continuously monitor network and system logs for unusual or suspicious activities.
• Deploy security information and event management (SIEM) solutions to centralize log analysis