SANTA CLARA, Calif., March 21, 2018 /PRNewswire/ -- Nyotron, a provider of the industry's first OS-Centric Positive Security solution to strengthen endpoint protection, has discovered a resurgence of OilRig attacks using a significantly more advanced malware toolkit.
Since 2015, the notorious Iran-linked APT group that launched OilRig has compromised critical infrastructure, banks, airlines, and government entities in countries such as Saudi Arabia, Qatar, United Arab Emirates, Turkey, Kuwait, Israel, Lebanon and the United States. In November 2017, Nyotron discovered new active OilRig attacks on a number of organizations across the Middle East. The OilRig group has significantly evolved its tactics, techniques and procedures, introduced next-generation malware tools and new data exfiltration methods. In total, the attackers used about 20 different tools - some were off-the-shelf, dual-purpose utilities, while others were previously unseen malware using Google Drive and SmartFile as well as the ISAPI filter for compromising IIS servers.
Among key advancements, the new variant of OilRig introduces a variety of new command and control (C&C) and data exfiltration capabilities:
Google Drive C&C - The OilRig group has built a sophisticated Remote Access Trojan (RAT) that uses Google Drive for C&C purposes. Among other things, it supports a variety of configuration settings, uses encryption and registers as a service. Malware retrieves commands from the attacker's account on Google Drive and exfiltrates files to it. At the time of the research, this RAT was not detectable by any antivirus (AV) engine that is part of VirusTotal.
SmartFile C&C - The attacker used a crafted tool that leveraged the public APIs of SmartFile.com, a file sharing and transfer solution, as a C&C. This allowed attackers to upload and download files to and from infected machines as well as run ad-hoc commands. At the time of the research, this RAT generated 1 out of 68 VirusTotal detections.
ISAPI filter-based C&C - This new attack used ISAPI filters to extend the functionality of Microsoft Internet Information Services (IIS) servers. An ISAPI filter provides a more covert way to execute commands on a previously compromised machine versus using a web page, allowing the attacker to execute commands by accessing any path on the server. Based on publicly available information, Nyotron believes this is the first time the OilRig group has used ISAPI filters. This unique approach avoids detection by most, if not all, security products.
"State attackers and advanced hacking groups are continually finding new approaches to augment previous successful attacks," said Nir Gaist, Founder and CTO of Nyotron. "This latest OilRig evolution serves as a reminder that security leaders need to strengthen their endpoint protection using the defense in depth approach to safeguard against malware adopting next-generation tools and techniques."
About Nyotron Nyotron provides the industry's first OS-Centric Positive Security to strengthen desktop, laptop and server protection. By mapping legitimate operating system behavior, Nyotron's PARANOID understands all the normative ways that may lead to damage, such as file deletion, data exfiltration, encryption, and more. Focusing on these finite "good" actions allows PARANOID to be completely agnostic to threats and attack vectors. PARANOID seamlessly coexists with antivirus and next-generation antivirus solutions based on the negative security model and provides the last line of defense from modern state-level attacks. Nyotron is headquartered in Santa Clara, CA with an R&D office in Israel.
PROS® , a leading provider of AI-powered SaaS pricing, CPQ, revenue management, and digital offer marketing solutions, today announced that Todd McNabb has joined PROS as Chief Revenue Officer. Reporting to Andres Reiner, PROS President and Chief...
BigBear.ai , a leading provider of AI-powered decision intelligence solutions for national security, supply chain management, and digital identity, today announced that it will publish its first quarter earnings release on Thursday, May 2, 2024, at...
Avicanna Inc. ("Avicanna" or the "Company") a biopharmaceutical company focused on the development, manufacturing, and commercialization of plant-derived cannabinoid-based products is pleased to announce that it has closed a non-brokered private...
Galaxy Digital Holdings Ltd. ("Galaxy") announced that its affiliate, Galaxy Asset Management, ("GAM"), reported preliminary assets under management of $7.8 billion as of March 31, 2024. The 23.3% decrease in preliminary AUM compared to the prior...
Stoneridge, Inc. will webcast its first-quarter 2024 earnings conference call live on Thursday, May 2, 2024, at 9:00 a.m. ET with president and chief executive officer, Jim Zizelman, and chief financial officer, Matt Horvath....
Distinguished geochemist, space scientist, and Director of NASA's Jet Propulsion Laboratory, Dr. Laurie Leshin will be honored as the 2024 Woman of the Year by THE MUSES of the California Science Center Foundation. The annual luncheon, which will...