The Iranian state-sponsored cyber espionage group Earth Simnavaz has been identified as the culprit behind a recent spate of intensified attacks on critical infrastructure in the UAE and the wider Gulf region. Employing sophisticated techniques, the group has been able to breach networks, gain unauthorized access, and exfiltrate sensitive data, all in an effort to further their nefarious objectives.
One of the latest tactics employed by Earth Simnavaz involves the use of a new backdoor to steal credentials via on-premises Microsoft Exchange servers. This method exploits vulnerabilities such as CVE-2024-30088 for privilege escalation and utilizes tools like ngrok for remote monitoring and control. By infiltrating networks through a web shell uploaded to a vulnerable web server and exploiting a Windows Kernel vulnerability to escalate privileges, Earth Simnavaz has managed to register a password filter DLL, dropping a backdoor that exfiltrates sensitive data via the Exchange server.
Furthermore, the stolen data is then used to execute supply chain attacks on other government entities, showcasing the group’s tendency to engage in malicious activity with far-reaching consequences. The overlap between Earth Simnavaz and FOX Kitten, a group known for ransomware attacks, underscores the potential for even more damaging cyber operations in the future.
In their initial compromise of target systems, Earth Simnavaz utilizes web shells as remote access Trojans to facilitate various malicious activities. By extracting and decrypting specific values from HTTP request headers, the threat actors are able to execute PowerShell commands, download files, and upload new ones to infected systems. To maintain confidentiality, outbound responses are encrypted using AES encryption and Base64 encoding.
To gain SYSTEM privileges, Earth Simnavaz exploits CVE-2024-30088, employing custom loaders to execute privilege escalation tools and create persistent tasks to run PowerShell scripts. Additionally, they abuse a password filter DLL to capture plaintext passwords from compromised machines, encrypting them before exfiltration to avoid detection and sustain persistence in the compromised environment.
The exfiltration tool STEALHOOK is used to retrieve valid domain credentials, which are then used to access the Exchange Server for data exfiltration. These stolen passwords are transmitted as email attachments, leveraging legitimate accounts to route them through government Exchange Servers. The backdoor retrieves user credentials and email sending data from specific files, creating messages containing stolen credentials and configuration data for transmission.
Recent reports from Trend Micro indicate that Earth Simnavaz has enhanced their toolkit by incorporating the RMM tool ngrok, enabling them to circumvent firewalls and network security controls. By downloading ngrok onto a server with a PowerShell script and remotely executing it using a WMI command, the threat group can establish command-and-control communication, exfiltrate data, or deploy additional payloads to further their objectives.
With a history of targeting governments and countries in the Middle East, Earth Simnavaz’s strategies closely align with those of FOX Kitten, showcasing their determination to engage in cyber espionage and disruption in the region. As threats from state-sponsored groups continue to evolve, it is imperative for organizations to bolster their cybersecurity defenses to protect against such advanced and persistent adversaries.