Attacks recently identified to target a key organization in the European energy sector have employed a remote access Trojan (RAT) previously associated with Iran-linked threat actors, Recorded Future reports.
Dubbed PupyRAT, the backdoor is an open source piece of malware available on GitHub. Mainly written in Python, the threat is advertised as cross-platform, with support for various functions for post-exploitation.
The malware, Recorded Future’s security researchers explain, was previously used by several Iranian hacking groups, including APT33 (also known as Elfin, Magic Hound and HOLMIUM) and COBALT GYPSY, which overlaps with APT34/OilRig.
These two groups have been known to target energy sectors in the United States, Europe, and elsewhere, and Iranian hackers were previously observed making heavy use of freely available commodity malware such as PupyRAT, Recorded Future notes.
The researchers were able to identify a PupyRAT command and control (C&C) server that communicated with a mail server for a European energy sector organization between November 2019 and at least January 5, 2020.
“While metadata alone does not confirm a compromise, we assess that the high volume and repeated communications from the targeted mail server to a PupyRAT C&C are sufficient to indicate a likely intrusion,” Recorded Future
explains.
