Cybercrime , Cybercrime as-a-service , Cyberwarfare / Nation-State Attacks

Threat Actor Adds New Marlin Backdoor to Its Arsenal

Iran-Linked APT Group OilRig Involved in New Middle East Attacks
Threat Actor Adds New Marlin Backdoor to Its Arsenal
Timeline of "Out to Sea" campaign (Source: ESET Threat Report)

An advanced persistent threat group with ties to Iran has updated its arsenal to include a newly developed backdoor called Marlin to attack organizations in the Middle East, researchers say.

See Also: Webinar | 2023 OT Cybersecurity Year in Review: Lessons Learned from the Frontlines

The attacks perpetrated by the APT group OilRig, also called APT34, Lyceum and Siamesekitten, are targeted at diplomatic organizations, technology companies and medical organizations in Israel, Tunisia and the United Arab Emirates, according to researchers at Slovakian cybersecurity firm ESET.

The attack is part of an espionage campaign that began in April 2018, the researchers say.

ESET did not immediately respond to Information Security Media Group's request for additional details on the attack.

Past Attacks

The group has previously targeted companies in the news media, energy, transportation and logistics and technology services sectors. (See: Despite Doxing, OilRig APT Group Remains a Threat).

It was particularly active between September and December 2021, conducting a campaign that the researchers call "Out to Sea." The operators behind OilRig developed and deployed a mix of an improved DanBot backdoor with Shark, Milan and Marlin backdoors in the campaign, say the ESET researchers.

"The first appearance of DanBot in 2019 was originally attributed to a new group, Lyceum. At that time, researchers correctly identified links to OilRig, but lacked the clarity necessary to fully attribute DanBot to OilRig," the ESET researchers say. "Subsequent reports further entrenched the DanBot attribution to Lyceum. The most recent iteration of this campaign, attributed to a new group, Siamesekitten, was also linked with Lyceum."

The similarities between known OilRig backdoors and the backdoors used in the Out to Sea campaign were "too numerous and specific" to be written off as just another group "like" OilRig, the ESET researchers say.


In October, researchers at cybersecurity firm Kaspersky reported that the Lyceum group, known for targeting organizations in the energy and telecommunications sectors, had attacked two entities in Tunisia with an updated malware arsenal.

Kaspersky researchers found that the group had updated its malware arsenal considerably by rebuilding its toolset. The operators behind Lyceum preferred to take advantage of DNS tunneling, but had pivoted from .NET payload, referred to as DanBot, to a new C++ backdoor and a PowerShell script, Kaspersky researchers said at the time.

The attackers also used a .NET remote access Trojan to communicate with the command-and-control server over DNS or HTTP (See: Lyceum Group Targets Two Tunisia-Based Entities).

The activities of Lyceum can be traced back to 2018, according to Kaspersky. Its targets include critical systems, such as oil and gas organizations in the Middle East, Africa and Central Asia, the cybersecurity company says.

In November 2021, the group expanded its ongoing espionage activity to include internet service providers, according to Accenture’s Cyber Threat Intelligence group and Prevailion’s Adversarial Counterintelligence Team. The threat group targeted unidentified ISPs and telecommunication operators in Israel, Morocco, Tunisia and Saudi Arabia, as well as a Ministry of Foreign Affairs in Africa, between July and October 2021.

The group is believed to be linked to Iranian groups, according to researchers at security firm ClearSky (see: Iranian Group Targets Israeli Firms).

Updated Arsenal

DanBot, Shark and Milan use both DNS - a commonality for OilRig backdoors - and HTTP/S for network communications with command-and control-servers. But Marlin deviates from typical OilRig TTPs and uses the OneDrive API for its C2 operations. Post-compromise activities include data collection - via browser-data theft and a keylogger, exfiltration an- lateral movement.

Researchers at ESET say that the initial access is via a spear phishing attack and the remote administration software ITbrain, which was found in conjunction with the remote access tool TeamViewer. Additional tools used upon establishing a foothold into a network include:

  • A Chrome browser data dumper;
  • PowerShell backdoor loaders;
  • WinRAR;
  • Mimikatz;
  • An SMB lateral movement tool that leverages EternalBlue;
  • A keylogger;
  • Tuna, which is a parser for the Windows Master File Table, a database in which information about every file and directory on an NT File System volume is kept.

"Beginning with the ToneDeaf backdoor, OilRig has shown a propensity for deploying tools with non-functional components. The ToneDeaf backdoor primarily communicated with its C&C over HTTP/S but included a secondary method, DNS tunneling, which does not function properly. Shark has similar symptoms, where its primary communication method uses DNS but has a non-functional HTTP/S secondary option," the researchers at ESET say.

ToneDeaf is a backdoor that communicates with its command-and-control server via HTTP to receive and execute commands.

The researchers say that the SMB lateral movement tool, while determining a remote system’s vulnerability to EternalBlue, uses a hard-coded private IP address that is unlikely to ever identify a vulnerable system, unless it has that specific private IP address.

EternalBlue is a Windows exploit created by the U.S. National Security Agency, leaked by The Shadow Brokers hacking group and subsequently used in the 2017 WannaCry ransomware attack.

"Another telltale sign of OilRig is the creation and use of multiple folders in a backdoor’s working directory that are used for uploading to, and downloading files from, the OilRig C2 server. First documented in the ALMA backdoor, we see DanBot, Shark, and Milan employing the same methodology. We rarely see similar TTPs from other groups," the ESET researchers say.

OilRig operators are known for using DNS as a C2 communication channel and HTTP/S as a secondary communication method, the researchers say, adding, "We see it employed in the Out to Sea campaign with DanBot, Shark, and Milan."

Concerning "New Cocktails'

The massive amount of malware strains that cybercriminals are able to leverage today enables them to "concoct new cocktails capable of thwarting both past and present security systems," Bill Conner, CEO and president of cybersecurity firm SonicWall, says.

"What's most concerning is that threat actors are leveraging the technologies that good guys have been utilizing to stop them for quite some time, such as machine learning," Conner tells ISMG.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.