A command and control server used by the Iranian-associate group PupyRAT has been found communicating with the mail server of a European energy sector organization for the last several months.Recorded Future’s Insikt Group reported PupyRAT, a remote access trojan, had been chatting with the command and control server from November 2019 until about January 5, 2020. The security firm could not solidly confirm through the metadata viewed that PupyRAT had been able to compromise its target, but Insikt Group researchers believe the amount of traffic between the targeted mail server to a PupyRAT C2 are sufficient to indicate a likely intrusion.PupyRAT is
an open-source malware generally used by organizations as a “red team” tool,
but Insikt Group noted it has been previously used Iranian groups, including
APT33 and Cobalt Gypsy.“Whoever the
attacker is, the targeting of a mail server at a high-value critical
infrastructure organization could give an adversary access to sensitive
information on energy allocation and resourcing in Europe,” the report said.The
researchers pointed out PupyRAT’s possible intrusion of the mail server
predated the recent tensions that have arisen between the United States and
Iran indicating the activity is likely part of an on-going cyberespionage
campaign aimed at the European energy sector.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds