Speaking at Infosecurity Europe 2018 in London, Alex Hinchliffe, threat intelligence analyst at Palo Alto Networks, described the increasing threat of Middle Eastern group, OilRig.
Hinchliffe works in the Unit 42 threat intelligence team at Palo Alto Networks and uses the frameworks ATT&CK and STIX to explore the lifecycle of cyberattacks. He described OilRig as an espionage adversary which over the last two years has been extracting information from governments, financial services companies and a number of non-profits in countries including Turkey, Saudi Arabia, Israel and Lebanon.
While Unit 42 has discovered that OilRig leverages malicious macro documents as part of its attack toolkit, it also uses custom tools, which Hinchliffe said has never been seen anywhere else before.
One example he gave of a malicious macro document attack used an end-point threat called Helminth which uses social engineering to illegally gather data from Microsoft Excel spreadsheets used frequently by governments and financial services.
“Sadly with most attacks it is phishing emails and using the human as the weakest link,” he said, explaining how the attackers will send an Excel document to its victim and even attach a .png image showing their victim how they want them to open the document.
“They are literally spelling it out for the victim.”
The compatibility warning in the excel was created by OilRig to look very similar to Microsoft’s own warning, tricking the user into running the code, which is hidden in the cells behind the manmade warning.
Custom attack tools
But it is when OilRig attacks servers directly with custom tools which is where the attack becomes unique.
Hinchliffe described how the first recorded attack of this type was called Two Face, where the attacker connected to a publically-facing webserver run by the victim, accessed by a webshell.
“It’s a lot more sophisticated than the end-point malware,” he said.
Meanwhile, a more recent server attack called an RG Door infection sees malware which “hooks” onto every get request or post request made to the victim’s webpage. This information passes through the adversary’s RG Door first, so it can manipulate the data.
Commenting on these direct server attacks, Hinchliffe said: “It’s a sophisticated way to communicate. And it prevents you having that beacon – that regular heartbeat saying ‘I’m here, I’m here’ – across the network, which is a bit more stealth.”