High-severity Windows vulnerability leveraged in new OilRig APT attacks

The United Arab Emirates and other countries across the Gulf region had their critical infrastructure and government organizations subjected to attacks by Iranian state-sponsored advanced persistent threat operation OilRig, also known as APT34, involving the exploitation of the high-severity Windows privilege escalation flaw, tracked as CVE-2024-30088, BleepingComputer reports.

After injecting PowerShell commands in a vulnerable web server, OilRig proceeds to leverage CVE-2024-30088 to facilitate password filter DLL registration for plaintext credential capturing, 'ngrok' utility installation for covert communications, and the targeting of Microsoft Exchange servers with the novel 'StealHook' backdoor, according to an analysis from Kaspersky. "The key objective of this stage is to capture the stolen passwords and transmit them to the attackers as email attachments. Additionally, we observed that the threat actors leverage legitimate accounts with stolen passwords to route these emails through government Exchange Servers," said Kaspersky researchers, who not only discovered StealHook having a resemblance with OilRig's older Karkoff payload but also noted OilRig's association with FOX Kitten.