Outer Space
Outer Space was a campaign conducted by OilRig throughout 2021 that used the SampleCheck5000 downloader and Solar backdoor to target Israeli organizations.[1]
Groups
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
During Outer Space, OilRig used HTTP to communicate between installed backdoors and compromised servers including via the Microsoft Exchange Web Services API.[1] |
| Enterprise | T1217 | Browser Information Discovery |
During Outer Space, OilRig used a Chrome data dumper named MKG.[1] |
|
| Enterprise | T1059 | .005 | Command and Scripting Interpreter: Visual Basic |
During Outer Space, OilRig used VBS droppers to deploy malware.[1] |
| Enterprise | T1584 | .004 | Compromise Infrastructure: Server |
During Outer Space, OilRig compromised an Israeli human resources site to use as a C2 server.[1] |
| Enterprise | T1587 | .001 | Develop Capabilities: Malware |
For Outer Space, OilRig created new implants including the Solar backdoor.[1] |
| Enterprise | T1585 | .003 | Establish Accounts: Cloud Accounts |
During Outer Space, OilRig created M365 email accounts to be used as part of C2.[1] |
| Enterprise | T1105 | Ingress Tool Transfer |
During Outer Space, OilRig downloaded additional tools to comrpomised infrastructure.[1] |
|
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
During Outer Space, OilRig deployed VBS droppers with obfuscated strings.[1] |