[SERVICES](http://www.clearskysec.com/services/) [ABOUT](http://www.clearskysec.com/about/) [BLOG](http://www.clearskysec.com/blog/) [COLLABORATION](http://www.clearskysec.com/collaborate/) # BLOG [Clear Sky > Blog > Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates](http://www.clearskysec.com/) University of Oxford ### Recent Posts ## Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford By Clearsky January 5, 2017 [Campaigns](http://www.clearskysec.com/category/campaigns/) Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015. In recent attacks they set up a fake VPN Web Portal and targeted at least �ve Israeli IT vendors, several �nancial institutes, and the Israeli Post Of�ce. Later, the attackers set up two fake websites pretending to be a University of Oxford conference sign-up page and a job application website. In these websites they hosted malware that was digitally signed with a valid, likely stolen code signing certi�cate Based on VirusTotal uploads, malicious documents content, and known victims – other targeted organisations are located in Turkey, Qatar, Kuwait, United Arab Emirates, Saudi Arabia, and Lebanon. ## Fake VPN Web Portal In one of the recent cases, the attackers sent the following email to individuals in targeted organisations: The email was sent from a compromised account of an IT vendor. Similar emails were sent from other IT vendors in the same time period, suggesting the attackers had a foothold within their networks, or at least could get access to speci�c computers or email accounts. The link provided in the malicious email led to a fake VPN Web Portal: Upon logging in with the credentials provided in the email, the victim is presented with the following Iranian Threat Agent OilRig Delivers Digitally [Signed Malware, Impersonates University of](http://www.clearskysec.com/oilrig/) Oxford Attacks Against Customer Service Centers by Impersonation of Potential Clients Business Email Compromise fraud Against Global Shipping Companies Magecart – a malicious infrastructure for stealing payment details from online shops [Operation DustySky - Part 2](http://www.clearskysec.com/dustysky2/) ----- The victim is asked to install the “VPN Client” (an .exe �le), or, if download fails, to download a password protected zip (with the same .exe �le inside). [The “VPN Client” is a legitimate Juniper VPN software bundled with Helminth, a malware in use by the](http://telussecuritylabs.com/threats/show/TSL20160530-07) OilRig threat agnet: JuniperSetupClientInstaller.exe [6a65d762fb548d2dc56cfde4842a4d3c (VirusTotal link)](https://www.virustotal.com/en/file/a367ccb9ca5a958d012e94ae8122feda9a1a7f23a0c84e2bc5ee35c834900b61/analysis/1483354486/) If the victim downloads and installs the �le, their computer would get infected, while the legitimate VPN software is installed. The legitimate and the malicious installations can be seen in the process tree when the �le is run in a Cuckoo sandbox. Malicious processes are marked red (click image to enlarge): The following malicious �les are dropped and run: C:\ProgramData\{2ED05C38-D464-4188-BC7F F6915DE8D764}\OFFLINE\9A189DFE\C7B7C186\main.vbs dcac79d7dc4365c6d742a49244e81fd0 C:\Users\Public\Libraries\RecordedTV\DnE.ps1 7fe0cb5edc11861bc4313a6b04aeedb2 C:\Users\Public\Libraries\RecordedTV\DnS.ps1 3920c11797ed7d489ca2a40201c66dd4 “C:\Windows\System32\schtasks.exe” /create /F /sc minute /mo 3 /tn “GoogleUpdateTasksMachineUI” /tr C:\Users\Public\Libraries\RecordedTV\backup.vbs 7528c387f853d96420cf7e20f2ad1d32 Command and control server is located in the following domain: tecsupport[.]in A detailed analysis of the malware is provided in [two](http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/) [posts by Palo Alto networks and in a](http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/) [post by](https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html) FireEye, which wrote about previous campaigns by this threat agent. (Note that Juniper networks was not compromised nor otherwise involved in the attack, except for the attackers using its name and publicly available software). ## Digitally signed malware The entire bundle (VPN client and malware) was digitally signed with a valid code signing certi�cate issued by Symantec to AI Squared, a legitimate software company that develops accessibility software: ----- Thumbprint: 92B8C0872BACDC226B9CE4D783D5CCAD61C6158A Serial number:62 E0 44 E7 37 24 61 2D 79 4B 93 AF 97 46 13 48 This suggest that the attackers had got a hold of an AI Squared signing key, potentially after compromising their network. Alternatively, the attackers might have got Symantec to issue them a certi�cate under AI Squared’s name. ## University of Oxford impersonation The attackers registered four domains impersonating The University of Oxford. **oxford-symposia[.]com, is a fake Oxford conference registration website. Visitors are asked to** download the “University Of Oxford Job Symposium Pre-Register Tool”: The downloaded �le (which is also signed with an AI Squared certi�cate), is a fake registration tool built by the attackers: OxfordSymposiumRegTool.exe f77ee804de304f7c3ea6b87824684b33 If run by the victim, their computer would get infected, while they are shown this registration process: ----- Note that after completing the “registration process”, the victim is asked to send the form to an email address in oxford-careers[.]com, which also belongs to the attackers. Previously the fake website linked to the following documents in a third fake Oxford domain, oxford[.]in: http://oxford[.]in/downloads/ls1.doc http://oxford[.]in/downloads/ls2.doc http://oxford[.]in/downloads/ls3.doc http://oxford[.]in/downloads/ls4.do The documents were unavailable during our research, and their content is unknown to us. The attackers used a forth domain, oxford-employee[.]com, to host an “Oxford Job application” website: i i k d “ l d C C ” i d “ i i i f O f d ff” C C i ----- When run, the victim is again presented with a tool created by the attackers, this time a “University Of Oxford Of�cial CV Creator”: Both samples mentioned in this section had the following domain used for command and control: updater[.]li ## Other incidents In an earlier incident, the attackers sent a malicious excel �le impersonating Israir, an Israeli Airline (the content of the �le was copied from the company’s public website and we have no indication of it being compromised or targeted): Israel Airline.xls 197c018922237828683783654d3c632a The �le had a macro that if enabled by the user would infect its computer. **In other incidents the attackers used the following �les:** Special Offers.xls / Salary Employee 2016.xls f76443385fef159e6b73ad6bf7f086d6 pic.xls 3a5fcba80c1fd685c4b5085d9d474118 ----- cv.xls 72e046753f0496140b4aa389aee2e300 users.xls 262bc259682cb48ce66a80dcc9a5d587 Employee Engagement Survey.xls 726175e9aba421aa0f96cfc005664302 JuniperSetupClientInstaller.exe f8ce7e356e09de6a48dca9e51421b6f6 Project_Domain_No337.chm [1792cdd0c5397ff5df445d73276d1a50 (undetected as malicious by any antivirus on VirusTotal)](https://www.virustotal.com/en/file/8cb80ac1f955bac9ccf67e843ddc15322b4aa70e8c98269a8a98a02df4cbd8b7/analysis/) gcaa_report_series15561.chm [d50ab63f4034c6f5eb356e3326320e66 (undetected as malicious by any antivirus on VirusTotal)](https://www.virustotal.com/en/file/172b407b28dff5b2f1110545758f15185668c305b0b371c02c8870770f4f7e7a/analysis/) ## Infrastructure overlap with Cadelle and Chafer [In December 2015, Symantec published a post about “two Iran-based attack groups that appear to be](https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets) connected, Cadelle and Chafer” that “have been using Backdoor.Cadelspy and Backdoor.Remexi to spy on Iranian individuals and Middle Eastern organizations”. Backdoor.Remexi, one of the malware in use by Chafer, had the following command and control host: 87pqxz159.dockerjsbin[.]com Interestingly, IP address 83.142.230.138, which serve as a command and control address for an OilRig related sample (3a5fcba80c1fd685c4b5085d9d474118), was pointed to by 87pqxz159.dockerjsbin[.]com as well. This suggest that the two groups may actually be the same entity, or that they share resources in one why or another. ## Indicators of compromise [Indicators �le: oilrig-indicators.csv (also available on PassiveTotal)](http://www.clearskysec.com/wp-content/uploads/2017/01/oilrig-indicators.csv) The graph below depicts the OilRig infrastructure (click to enlarge): ### Acknowledgments [This research was facilitated by PassiveTotal for threat infrastructure analysis, and by MalNet for](https://www.passivetotal.org/) [malware research . We would like to thank White-Hat, Tom Lancaster of Palo Alto Networks, Michael Yip](http://white-hat.co.il/) [of Stroz Friedberg, security researcher Marcus, and other security researchers and organizations who](https://www.strozfriedberg.com/) shared information and provided feedback. ### ClearSky Ahead of the threat curve ----- Phone: 972 3 624 0346 Email: info [at] clearskysec.com -----