1. Home
  2. Campaigns
  3. Juicy Mix

Juicy Mix

Juicy Mix was a campaign conducted by OilRig throughout 2022 that targeted Israeli organizations with the Mango backdoor.[1]

ID: C0044
First Seen:  January 2022 [1]
Last Seen:  December 2022 [1]
Version: 1.0
Created: 25 November 2024
Last Modified: 25 November 2024
Version Permalink

Groups

ID Name Description
G0049 OilRig

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

During Juicy Mix, OilRig used a VBS script to send POST requests to register installed malware with C2.[1]
Enterprise T1217 Browser Information Discovery

During Juicy Mix, OilRig used the CDumper (Chrome browser) and EDumper (Edge browser) data stealers to collect cookies, browsing history, and credentials.[1]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

During Juicy Mix, OilRig used a PowerShell script to steal credentials.[1]
.005 Command and Scripting Interpreter: Visual Basic

During Juicy Mix, OilRig used VBS droppers to deliver and establish persistence for the Mango backdoor.[1]
Enterprise T1584 .004 Compromise Infrastructure: Server

During Juicy Mix, OilRig compromised an Israeli job portal to use for a C2 server.[1]
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

During Juicy Mix, OilRig used the CDumper (Chrome browser) and EDumper (Edge browser) to collect credentials.[1]
.004 Credentials from Password Stores: Windows Credential Manager

During Juicy Mix, OilRig used a Windows Credential Manager stealer for credential access.[1]
Enterprise T1132 .001 Data Encoding: Standard Encoding

During Juicy Mix, OilRig used a VBS script to send the Base64-encoded name of the compromised computer to C2.[1]
Enterprise T1074 .001 Data Staged: Local Data Staging

During Juicy Mix, OilRig used browser data and credential stealer tools to stage stolen files named Cupdate, Eupdate, and IUpdate in the %TEMP% directory.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

During Juicy Mix, OilRig used a script to concatenate and deobfuscate encoded strings in Mango.[1]
Enterprise T1587 .001 Develop Capabilities: Malware

For Juicy Mix, OilRig improved on Solar by developing the Mango backdoor.[1]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

During Juicy Mix, OilRig used VBS droppers to schedule tasks for persistence.[1]
Enterprise T1518 Software Discovery

During Juicy Mix, OilRig used browser data dumper tools to create a list of users with Google Chrome installed.[1]
Enterprise T1082 System Information Discovery

During Juicy Mix, OilRig used a script to send the name of the compromised host via HTTP POST to register it with C2.[1]

Software

ID Name Description
S1169 Mango

[1]

References

  1. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024.