Menorah Malware Employed by Iranian APT

Iranian-sponsored cyber actors known as OilRig have been tied to a spear-phishing campaign that infects victims with a new type of malware called Menorah. According to a report by security researchers, this malware is designed for cyberespionage, with the ability to identify and read files on a target machine, as well as upload and download files. While the exact targets of these attacks are not yet known, the use of decoys suggests that at least one of them is an organization located in Saudi Arabia.

OilRig, also known as APT34, Cobalt Gypsy, Hazel Sandstorm, and Helix Kitten, is an Iranian advanced persistent threat (APT) group that specializes in conducting covert intelligence-gathering operations to infiltrate and maintain access within targeted networks. Recent findings by NSFOCUS revealed an OilRig phishing attack that led to the deployment of a new variant of SideTwist malware, indicating ongoing development efforts.

In the most recent infection chain documented by researchers, a lure document is used to create a scheduled task for persistence and drop an executable file ("Menorah.exe"). This executable establishes contact with a remote server to await further instructions, although the command-and-control server is currently inactive. This .NET malware is an enhanced version of the original C-based SideTwist implant discovered by Check Point in 2021. It comes equipped with various features, such as host fingerprinting, file listing, file uploading from the compromised system, shell command execution, and file downloading to the infected system.

Who is the OilRig APT?

The OilRig Advanced Persistent Threat (APT) is a cyber espionage group believed to be backed by the Iranian government. Also known by various other names, including APT34, Cobalt Gypsy, Hazel Sandstorm, and Helix Kitten, OilRig has been active since at least 2014. Here are some key characteristics and activities associated with the OilRig APT:

• Iranian Attribution: OilRig is widely believed to be a state-sponsored hacking group based in Iran. While the Iranian government has not officially confirmed its involvement, cybersecurity experts and researchers have linked the group to Iran based on various technical and contextual indicators.
• Cyber Espionage: OilRig primarily focuses on cyber espionage operations. Their main objective is to gather intelligence and sensitive information from targeted organizations, including government agencies, businesses, and critical infrastructure sectors.
• Spear Phishing: OilRig is known for its use of spear-phishing campaigns. They craft convincing and targeted phishing emails to trick individuals within organizations into opening malicious attachments or clicking on malicious links. Once a victim is compromised, the group gains a foothold within the target network.
• Custom Malware: OilRig develops and uses custom malware tailored to their specific targets. This malware includes various remote access tools and backdoors, enabling the group to maintain persistence and control over compromised systems.
• Targeted Industries: OilRig has shown an interest in a range of sectors, including energy, telecommunications, government, and financial organizations. Their choice of targets suggests a focus on critical infrastructure and valuable intellectual property.