According to a report by Trend Micro, the Iranian hacker group known as Oilrig (Apt34, Cobalt Gypsy, Hazel Sandstorm, Helix Kitten) has launched a new cyber espionage operation involving a previously undisclosed malware called Menorah.
Researchers have found that Menorah is specifically designed for cyber espionage, with capabilities that include machine identification, reading and downloading files from the infected machine, and uploading additional files or malicious software. The identity of the victims targeted in this attack has not been immediately determined, but the use of deceptive targets suggests that at least one of the objectives is an organization in Saudi Arabia.
The campaign employs a phishing email campaign, using deceptive emails containing a malicious document, to create a scheduled task that ensures persistence and installs the Menorah executable file. Once installed, Menorah establishes a connection with a remote server (C2-server) to receive further instructions. It is worth noting that the control server is currently inactive.
Menorah, an enhanced version of the original Sidetwist malware discovered by Check Point in 2021, is equipped with various functions for collecting information on target hosts, listing directories and files, downloading selected files from the infected system, executing shell commands, and loading and unloading files to and from the system.
Researchers have highlighted that the Oilrig group continually develops and enhances their tools in an effort to lower the chances of detection by security measures and researchers.