A newly uncovered cyberespionage campaign attributed to Iran-linked threat group OilRig is showcasing a new level of stealth, as attackers hide malicious configurations inside seemingly harmless images hosted on Google Drive. Also known as APT34 or APT-C-49, the group is leveraging advanced techniques to evade detection while targeting victims through carefully crafted phishing lures tied to recent events in Iran.
The attack begins with a deceptive Excel file disguised as information related to protests in Tehran. When opened and macros are enabled, the document quietly triggers a chain reaction in the background. A hidden VBA script decodes embedded C# code and compiles it locally using Windows’ built-in compiler, creating a loader that operates entirely in memory. This fileless execution approach allows the malware to avoid leaving obvious traces on the system, making detection significantly harder.
Once inside, the malware establishes persistence by copying legitimate system files and setting scheduled tasks that ensure it runs every time the device starts. It then reaches out to a repository on GitHub to retrieve an encoded file containing further instructions. This step eventually leads to downloading a PNG image from Google Drive, which appears completely normal at first glance.
However, the image hides a secret. Using a technique known as steganography, the attackers embed encrypted configuration data within the image’s pixels. The malware extracts this hidden information and decrypts it using multiple layers of encoding, revealing critical details such as command-and-control server locations and instructions for the next stage of the attack.
From there, the operation becomes even more sophisticated. Additional payloads are delivered directly into memory, allowing attackers to carry out activities like data theft, file exfiltration, and remote command execution without triggering traditional antivirus tools. For communication, the malware uses the Telegram Bot API, enabling attackers to send commands and receive stolen data through encrypted channels that blend seamlessly with legitimate traffic.
Researchers have also identified Persian-language comments within the code and behavioral similarities with previous campaigns, reinforcing attribution to OilRig. By combining fileless malware execution with the abuse of trusted platforms like Google Drive, GitHub, and Telegram, this campaign highlights how modern threat actors continue to evolve their tactics to stay ahead of conventional security defenses.
Recommended Cyber Technology News:
- Kaspersky Reveals Qualcomm Chip Vulnerability Risking Device Control
- OmniTrust Expands AutoAuth With Certified Programs
- ArmorText Introduces Field Notes to Drive Cybersecurity Collaboration
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
