Poison Frog
One of the most infamous hacking groups from the Middle East originates from Iran and goes by the name OilRig. They are also known under the aliases HelixKitten IRN2, and APT34 (Advanced Persistent Threat). The OilRig hacking group began operating back in 2014, and since then, they are known to have claimed countless victims. Usually, the OilRig group goes after targets operating in the chemical, energy, and telecommunication industries. They also tend to target financial, as well as government institutions. Some experts believe that the OilRig hacking group is sponsored by the Iranian government and is used to carry out attacks that serve to further the interests of the state of Iran.
Table of Contents
The Poison Frog Backdoor is Written in C#
Recently, the APT34 has attracted the attention of cybersecurity researchers with a new threat dubbed Poison Frog. The Poison Frog threat is a Trojan backdoor that is written in the C# programming language. Threats written in C# do not tend to shine with their capabilities. Usually, the only serve to inject the PowerShell script, which is then executed and swiftly wiped out after the attack has taken place. Similar to the logic found in the dropper PowerShell scripts, the PowerShell script embedded acts in the same manner. The DNS and HTTP backdoor are found under the two long strings dns_ag and http_ag, which are base64 encoded. The task scheduling service helps the Poison Frog backdoor to gain persistence on the compromised host.
The Poison Frog Threat is Masked as a Legitimate Utility
Upon infecting the targeted system, the Poison Frog threat would mask itself as a legitimate application called Cisco AnyConnect. Needless to say, the Poison Frog backdoor is in no way affiliated with the genuine Cisco AnyConnect utility. The Poison Frog threat displays a fake layout and a button that reads 'Connect.' However, if the user clicks on the 'Connect' button, they will be presented with a pop-up window that shows an error message. This is a trick that is meant to fool users into believing that there is an issue with their Internet connection.
The OilRig Group Has Made Several Errors When Developing the Poison Frog Threat
When cybersecurity experts studied the Poison Frog backdoor, they discovered a number of errors that the OilRig hacking group has made. One of the samples discovered is incapable of executing because the creators of the threat have used an incorrect command 'Poweeershell.exe' instead of using 'Powershell.exe.' In other samples, experts spotted that the PDB path was inside the binary of the threat. In order to confuse malware researchers, the authors of the Poison Frog backdoor have altered the compilation date of the threat to one that is set in the future.
Despite some errors made by the OilRig APT, this hacking group is not one that is to be underestimated. The OilRig hacking group may update the Poison Frog backdoor at some point in the future and clear out the errors, therefore making the threat much more potent.
