Earth Simnavaz conducts cyberattacks in UAE and Gulf regions

Earth Simnavaz, an Iranian APT group, has deployed a new backdoor targeting UAE government sectors and critical infrastructure, which exploits on-premises Microsoft Exchange servers to exfiltrate sensitive credentials, reflecting their continued focus on cyber espionage in the Gulf region.

It has been exploiting dropped password filter policy vulnerabilities to extract clean-text passwords and has also used ngrok for remote monitoring and management and recently exploited CVE-2024-30088 for privilege escalation, demonstrating its ongoing adaptation and the threat they poses to critical infrastructure.

The attackers exploited a vulnerable web server to upload a web shell, which they used to download ngrok and exploit CVE-2024-30088 to gain privilege escalation and then registered a password filter DLL to drop a backdoor that exfiltrated sensitive data through the Exchange server. 

 Attack chain
 Attack chain

It is known for supply chain attacks and likely used compromised accounts to launch phishing attacks on new targets, which overlaps with FOX Kitten, involved in ransomware attacks, suggesting a heightened threat level and potentially significant impact on compromised entities.

The web shell, uploaded to a vulnerable web server, extracts and decrypts commands from HTTP request headers by executing these commands, which can include executing PowerShell commands, downloading or uploading files, and returning encrypted responses to the threat actor.

The attackers leveraged CVE-2024-30088 to gain SYSTEM privileges by exploiting a vulnerability in Windows and used a custom loader and a reused privilege escalation tool to execute a payload that created a persistent scheduled task, potentially disrupting the incident investigation.

Creating persistence using “e.xml”
Creating persistence using “e.xml”

Threat actors are exploiting on-premises Exchange servers to steal credentials by abusing the dropped password filter policy by registering malicious password filters to intercept plaintext passwords during user password updates, enabling credential harvesting with elevated privileges.

The malicious DLL uses three exported functions to register itself with the LSA and intercept password changes and then validates new passwords using password policy but also captures and encrypts them before exfiltrating them, allowing the attacker to harvest passwords from compromised machines even after they have been modified.

Functions exported by DLL
Functions exported by DLL

According to Trend Micro, the exfiltration tool STEALHOOK retrieves valid domain credentials from a specific location, uses them to access the Exchange Server and sends stolen passwords as email attachments. 

The tool leverages legitimate accounts with stolen passwords to route these emails through government Exchange Servers, where the threat actor employed ngrok, a legitimate tunneling tool, to bypass network security and establish command-and-control communication. 

The backdoor sending emails
The backdoor sending emails

It was downloaded and executed remotely via PowerShell and WMI commands, exploiting stolen credentials for authentication, which allowed the attacker to undetectedly access internal services and carry out malicious activities.

Iranian APT group Earth Simnavaz continues to target government sectors in the Middle East using IIS-based malware to gain a persistent presence and steal sensitive information. 

Their focus on blending into normal network activity and customizing malware highlights the need for intelligence-driven incident response and advanced security measures like Zero Trust architecture, SOC, EDR, and MDR capabilities.

Also Read:

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here