Earth Simnavaz

Earth Simnavaz, also known as APT34 and OilRig, is a cyber espionage group that has been tracked by cybersecurity firm Trend Micro. This threat actor is particularly active in targeting infrastructure in the Middle East, leveraging compromised organizations to conduct supply chain attacks on other entities. Their tactics involve blending into normal network activity and customizing malware to avoid detection. The group's arsenal mainly consists of IIS-based malware such as web shells, customized .NET tools, and PowerShell scripts. They pose an immediate threat to sectors in the Middle East due to their evolving tactics and increased activity. There is a documented overlap between Earth Simnavaz and another Advanced Persistent Threat (APT) group, FOX Kitten, both of which have been observed using the Remote Monitoring and Management (RMM) tool ngrok. In August, the Cybersecurity and Infrastructure Security Agency (CISA) highlighted FOX Kitten's role in enabling ransomware attacks targeting organizations in the US and the Middle East. Earth Simnavaz's activities underscore the ongoing threat posed by state-sponsored cyber actors, especially in sectors vital to national security and economic stability. Recent research has identified a sophisticated new backdoor deployed by Earth Simnavaz, bearing striking similarities to malware previously associated with this APT group. This backdoor facilitates the exfiltration of sensitive credentials, including accounts and passwords, through on-premises Microsoft Exchange servers. This development underscores the group's persistent efforts to advance its cyber-espionage capabilities, further escalating the risk they pose to targeted sectors and regions.