Greenbug espionage group targets UAE

Recently, DarkMatter’s Security Operations Centre (SOC) and DarkMatter Labs detected and responded to an attack on some of its clients in which the Indicators of Compromise (IOCs) demonstrated that it was part of the OilRig Advanced Persistent Threat (APT) Campaign with potential links to the Greenbug group.
Greenbug is a cyber-espionage group that has been attributed to alleged Iranian actors.  It targets organisations in the Middle East using a custom information-stealing remote access Trojan (RAT) known as Trojan.Ismdoor, along with a selection of hacking tools, to steal sensitive credentials from compromised organisations.
Attack detection

On a regular business day, an employee received a suspicious email containing two ZIP folders with no password protection as attachments from a colleague (an internal user). The spear phishing email was cleverly camouflaged as a business email.

The sender (victim) of the email was unaware of having sent any such email. Upon further examination it was discovered that the sender’s Outlook Web Access (OWA) was compromised and a total of seven such emails were sent to employees within the organisation during the day.

The internal contacts were all present in the victim’s address book. DarkMatter also noticed the attackers attempted to hack the victim, sending the email with malicious attachments to the victim’s own email address. This activity suggests the credentials of the victim Outlook Web Access (OWA) were previously collected from earlier harvesting campaigns.

Previous ArticleNext Article

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.


The free newsletter covering the top industry headlines