Summary
- Trend Micro researchers have been monitoring a cyber espionage group known as Earth Simnavaz, also referred to as APT34 and OilRig, which has been actively targeting governmental entities in the UAE and the broader Gulf region.
- The group utilizes sophisticated tactics that include deploying a backdoor that leverages Microsoft Exchange servers for credentials theft, and exploiting vulnerabilities like CVE-2024-30088 for privilege escalation.
- Earth Simnavaz uses a combination of customized .NET tools, PowerShell scripts, and IIS-based malware to allow their malicious activity to blend in with normal network traffic and avoid traditional detection methods.
- Their recent activity suggests that Earth Simnavaz is focused on abusing vulnerabilities in key infrastructure of geopolitically sensitive regions. They also seek to establish a persistent foothold in compromised entities, so these can be weaponized to launch attacks on additional targets.
Recently, Trend Micro has been tracking Earth Simnavaz (also known as APT34 and OilRig), a cyber espionage group believed to be linked to Iranian interests. This group primarily targets organizations in the energy sector, particularly those involved in oil and gas, as well as other critical infrastructure. It is known for using sophisticated tactics, techniques, and procedures (TTPs) to gain unauthorized access to networks and exfiltrate sensitive information.
In recent months, there has been a notable rise in cyberattacks attributed to this APT group specifically targeting government sectors in the United Arab Emirates (UAE) and the broader Gulf region. This escalation in activity underscores the group’s ongoing commitment to exploiting vulnerabilities within critical infrastructure and governmental frameworks in these geopolitically sensitive areas.
Our latest research has identified Earth Simnavaz’s deployment of a sophisticated new backdoor, which bears striking similarities to malware related to this APT group, as documented in our previous research. This new backdoor facilitates the exfiltration of sensitive credentials, including accounts and passwords, through on-premises Microsoft Exchange servers. Such tactics not only reflect the group’s evolving methodologies but also highlight the persistent threat posed to organizations reliant on these platforms.
Moreover, Earth Simnavaz has been observed using the same technique of abusing the dropped password filter policy as detailed in our earlier findings. This technique enables attackers to extract clean-text passwords, further compromising the integrity of targeted systems.
In addition to these methods, the group has leveraged a remote monitoring and management (RMM) tool known as ngrok in their operations. This tool allows for the seamless tunneling of traffic, providing attackers with an effective means to maintain persistence and control over compromised environments.
The threat actors have also recently added CVE-2024-30088 to their toolset, exploiting this vulnerability for privilege escalation in targeted systems. Integrating this into their toolkit highlights Earth Simnavaz’s continuous adaptation by exploiting newer vulnerabilities to make their attacks stealthier and more effective.
Earth Simnavaz’s activities highlight the ongoing threat posed by state-sponsored cyber actors, particularly in sectors vital to national security and economic stability. As the threat landscape continues to evolve, understanding the tactics these groups use is crucial for developing effective defense strategies against such sophisticated adversaries.
Attack chain
The initial point of entry for these attacks has been traced back to a web shell uploaded to a vulnerable web server (Figure 1). This web shell not only allows the execution of PowerShell code but also enables attackers to download and upload files from and to the server, thereby expanding their foothold within the targeted networks.
Once inside the network, the APT group leveraged this access to download the ngrok remote management tool, facilitating lateral movement and enabling them to reach the Domain Controller. During their operations, the group exploited CVE-2024-30088 – the Windows Kernel Elevation of Privilege vulnerability – as a means of privilege escalation, utilizing an exploit binary that was loaded into memory via the open-source tool RunPE-In-Memory.
This allowed them to register a password filter DLL, which subsequently dropped a backdoor responsible for exfiltrating sensitive data through the Exchange server. The exfiltrated data was relayed to a mail address controlled by the threat actor, effectively completing the infection chain and ensuring the attackers maintained control over the compromised environment.