Иранската APT OilRig използва нов Saitama Backdoor
In late April 2022, Fortinet and Malwarebytes security researchers discovered a malicious Excel document sent by the OilRig hacker group (also known as APT34, Helix Kitten, and Cobalt Gypsy) to a Jordanian diplomat to inject a new backdoor called Saitama.
The phishing email came from a hacker disguised as an employee of the IT department of the Ministry of Foreign Affairs. The attack was discovered after the recipient forwarded the email to a real IT employee to verify the authenticity of the email.
According to research notes provided by Fortinet, the macro uses WMI (Windows Management Instrumentation) to query its command and control (° С&° С) server and is capable of producing three files: a malicious PE file, a configuration file, and a legitimate DLL file. Written in .NET, the Saitama backdoor uses the DNS protocol to communicate with C&C and exfiltrate data, which is the stealthiest method of communication. Methods of masking malicious packets in legitimate traffic are also used.
Напомням, че и ние съобщихме за това Cross-platform SysJoker backdoor attacks Windows, macOS and Linux and that Hackers send resumes with more_eggs malware to recruiters.
Malwarebytes also published a separate backdoor report, noting that the entire program flow is explicitly defined as a state machine. In simple words, the machine will change its state depending on the command sent to each state.
States include:
- The initial state in which the backdoor receives the launch command;
- “Live” state, in which the backdoor connects to the C&C сървър, waiting for a command;
- Sleep mode;
- Receiving state, in which the backdoor accepts commands from the C&C сървър;
- Operational state in which the backdoor executes commands;
- Submission state, in which the results of command execution are sent to attackers.
