Brute-force Email Hacking Tool from OilRig ATP Group Leaked Online (Jun 3, 2019)
A brute-force attack tool for hijacking Microsoft Exchange email accounts allegedly used by the Advanced Persistent Threat (APT) OilRig threat group has been leaked online. OilRig, also known as APT34 and HelixKitten, is a group linked to the Iranian government. The tool is called “Jason” and is not detected by antivirus engines on VirusTotal, at the time of this writing. The tool works by trying various email account passwords until it finds the correct one. The brute-force activity is aided by a list with password samples and four text files containing numerical patterns. This utility is the seventh tool associated with the OilRig group that has been made publicly available. As of this writing, it is unknown who is responsible for exposing some of the APT group’s malware and tools, it is possible it was done so in hopes that publishing the tools will be a disruption to future operations by the threat group.
Recommendation: Email account security is paramount because many threat actors use brute force attacks that could easily gain access to an account with a weak password. As this incident portrays, a compromised email account could not only cause harm to individuals whose PII was stored in the account, but could also put them at further risk of highly-targeted phishing attacks using recipients’ legitimate information.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.