Email Hacking Tool from OilRig APT Group Leaked Online

A tool for hijacking Microsoft Exchange email accounts allegedly used by the OilRig hacker group has been leaked online. The utility is called Jason and it is not detected by antivirus engines on VirusTotal.

Email Hacking Tool from OilRig APT Group Leaked Online

Courtesy: Ionut Ilascu

The release occurred a few hours ago on the leaker's Telegram channel saying that it is used by the Iranian government "for hacking emails and stealing information."

Simple brute-force attack tool

Jason email hijacking tool works by trying various login passwords until it finds the correct one. The brute-force activity is aided by a list with password samples and four text files containing numerical patterns.

Omri Segev Moyal, co-founder and vice president of research at Minerva Labs, analyzed Jason email hijacking tool noting that it "seems to be a relatively simple bruteforce attacker against online exchange services."

The VirusTotal analysis reveals that the utility was compiled in 2015. At the moment of writing, it bypasses all detection engines available in the scanning service.

OilRig, also known as APT34 and HelixKitten, is a group linked to the Iranian government. Using the alias Lab Dookhtegan, someone started to leak OilRig information on March 26, the tools it used in hacking operations, and contact details for staff supposedly working at the Iranian Ministry of Intelligence and Security (MOIS).

The previous tools released by Lab Dookhtegan have been confirmed by experts in the infosec industry to be part of the arsenal used by the threat actor APT34/OilRig.

The direct effect on of publishing these hacking tools is a disruption of future operations from the adversary. Securitty companies have already developed detections for them but this does not mean that they will no longer be used in attacks.

Cybercriminals are quickly picking up any new sources that could allow them to perpetuate and diversify their business. Now they have access to new tools they can modify or use as inspiration to create fresh malware. Now there are seven tools associated with the OilRig group that are publicly available:

- 2 PowerShell-based backdoors: Poison Frog and Glimpse - both are versions of a tool called BondUpdater, according to Palo Alto Networks

- 4 web shells: HyperShell and HighShell, Fox Panel, and Webmask (the DNSpionage tool analyzed by Cisco Talos)

- Jason email hijacking tool for Microsoft Exchange accounts