Menorah Malware

Advanced cybercrime operatives with ties to Iran, tracked under the alias 'OilRig,' have been carrying out a targeted spear-phishing operation that deploys a fresh variant of a threatening software known as Menorah. This particular malware has been crafted for the explicit purpose of cyber espionage. It boasts the capability to ascertain the specifications of a compromised computer, access and transmit files from said system and download additional files or malware.

The precise demographic of the victims remains uncertain at this juncture. Nevertheless, the presence of deceptive tactics strongly suggests that at least one of the primary targets hails from an organization situated within the borders of Saudi Arabia.

The Menorah Malware is Delivered via Lure Documents

The OilRig phishing attack results in the deployment of an updated variant of the SideTwist malware, implying ongoing development efforts. In the most recent sequence of infections, a bait document is employed to create a scheduled task for long-term persistence while simultaneously dropping an executable file named 'Menorah.exe.' This executable, in turn, establishes communication with a remote server, awaiting further directives. It's worth noting that the command-and-control server is presently inactive.

Also known by aliases such as APT34, Cobalt Gypsy, Hazel Sandstorm, and Helix Kitten, OilRig stands as an Iranian Advanced Persistent Threat (APT) entity with a specialized focus on clandestine intelligence-gathering endeavors, meticulously infiltrating and sustaining access within designated networks.

Important Details about the Menorah Malware Show Its Similarities with Another Malware Threat

The malware, written in .NET and delivered via the threatening document, primarily serves the purpose of cyberespionage and boasts a wide array of capabilities. This unsafe software is capable of identifying the specific characteristics of the targeted computer, listing directories and files, selectively uploading files from the compromised system, executing shell commands, and downloading files onto the compromised machine.

Upon conducting a thorough analysis comparing the SideTwist malware with Menorah, researchers have discerned substantial resemblances between the two, particularly in terms of functionality. These malware variants exhibit similar backdoor functionalities for executing shell commands and facilitating file uploads and downloads.

However, in contrast to the earlier version of SideTwist, this new threat incorporates additional features to obfuscate traffic to the command and control (C&C) server, enhancing its stealthiness to evade detection. Initially, the malware checks for a specific argument during execution to ensure the proper execution flow. In the absence of the specified argument, the malware will terminate, halting its operations. This routine check serves to maintain the malware's covert behavior and identifies whether it is operating within an analytical environment, such as a sandbox. If the argument indicates that it's running within a sandbox, the malware will proceed without the argument but ultimately self-terminate.

Subsequently, the malware proceeds to fingerprint the infected machine by collecting information such as the machine name and username. This fingerprint is then transmitted to the C&C server in the form of content within an HTTP request.