A command and
control server used by the Iranian-associate group PupyRAT that is
communicating with the mail server of a European energy sector organization for
the last several months.

Recorded Future’s
Insikt Group reported PupyRAT, a remote access trojan, had been chatting with
the November2019 until about January 5, 2020. The security firm could not solidly
confirm through the metadata viewed that PupyRAT had been able to compromise
its target, but Insikt Group researchers
believe the amount of traffic between the targeted mail server to a PupyRAT C2
are sufficient to indicate a likely intrusion.

PupyRAT is
an open-source malware generally used by organizations as a “red team” tool,
but Insikt Group noted it has been previously used Iranian groups, including
APT33 and Cobalt Gypsy.

“Whoever the
attacker is, the targeting of a mail server at a high-value critical
infrastructure organization could give an adversary access to sensitive
information on energy allocation and resourcing in Europe,” the report said.

The
researchers pointed out PupyRAT’s possible intrusion of the mail server
predated the recent tensions that have arisen between the United States and
Iran indicating the activity is likely part of an on-going cyberespionage
campaign aimed at the European energy sector.