OilRig is back with another Phishing Email attack, delivering the Saitama Backdoor

THREAT LEVEL: Amber.

For a detailed advisory, download the pdf file here

An Iranian cyber espionage gang known as OilRig has began delivering malicious email to a Jordanian government employee at the foreign ministry. The email includes a malicious Excel sheet that installs the Saitama backdoor. Since at least 2014, the Iranian threat group has targeted Middle Eastern nations and victims across the world. The firm is noted for concentrating on the financial, governmental, energy, chemical, and telecommunications industries.

Threat actors send a malicious email, with the subject “Confirmation Receive Document” and an Excel file named “Confirmation Receive Document.xls,” sent to the victim via a Microsoft Outlook account. The excel sheet also delivers a payload with a small backdoor written in .Net known as Saitama Backdoor. The DNS protocol is used by the Saitama backdoor for command-and-control connections. In addition, the actor makes clever use of compression and extended random sleep durations. They used these techniques to hide harmful traffic among legal traffic.

The MITRE ATT&CK TTPs commonly used by OilRig are:

TA0001: Initial Access       

TA0002: Exécution

TA0005: Defense Evasion           

TA0003:  Persistence 

TA0011: Command and Control

T1059.001: PowerShell

T1059.003: Windows Command Shell

T1053.005: Scheduled Task

T1204.002: Malicious File

T1047: Windows Management Instrumentation

T1480: Execution Guardrails

T1087.001: Local Account

T1083: File and Directory Discovery

T1049: System Network Connections Discovery

T1071.004: DNS

T1132.002: Non-Standard Encoding

T1568.002: Domain Generation Algorithms

T1041: Exfiltration Over C2 Channel

Actors Details

Indicators of Compromise (IoCs)

References

https://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt