New Grandoreiro Banking Malware Variants Add Advanced Tactics to Evade Detection
Published on October 24, 2024
The Bahrain Petroleum Company (Bapco) was hit by an Iran-made data wiping malware on December 29, 2019. While the incident took place quite a few days ago, it has been just made known to the public given the opportunity from the tensions that followed the killing of General Suleimani by American drones. The malware infection took place before that of course, so it couldn’t have any connection or be a part of Iran’s retaliation efforts, but it still goes to show the capabilities of state-supported hacking groups from that country.
Dubbed as “Dustman”, this new strain of malware was successfully planted in Bapco’s computers, but the effects of its activity were contained to a small part of the network. That said, the attack can’t be considered very successful. Still, it was an attempt to bring down one of the world’s most prolific petroleum companies, which produces about 260000 barrels per day. Bahrain and the United States are long-time close allies, with the country providing a base for U.S. naval activity in the Persian Gulf since 1947, and the two have signed a Defense Cooperation Agreement in 1991. In 2001, the U.S. designated Bahrain a Major non-NATO ally, so you can get the idea of why Iranians like to target them.
According to details that have surfaced on ZDNet, Dustman’s goal this time wasn’t to cause an interruption in the operation of Bapco but was instead used as a last resort to wipe the traces that have been left by the actors from a previous attempt. Reportedly, the hackers had already established their presence in Bapco’s network, but then did some mistakes that could blow their cover. The way in for them could have been the Fortinet VPN tools that were used by Bapco, and which contain flaws that were discovered last summer. Of course, these flaws have been patched, but Bapco may have not applied the available updates.
The actors compiled Dustman hastily and deployed it to the Bapco network only to achieve a partial compromise. Some workstations were in sleep mode at the time of the attack, so it was traceable, and samples of the malware have been retrieved too. However, the concrete evidence to lead back to a specific Iranian hacking group is missing, so there can be no confident attribution. We know that Iranians have been developing data-wiping malware since 2012, with Shamoon and ZeroCleare being two of the most noteworthy examples.
Do you have anything to comment on the above? Feel free to share your thoughts with us in the section down below, or on our socials, on Facebook and Twitter.