OilRig

OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]

ID: G0049
Associated Groups: COBALT GYPSY, IRN2, APT34, Helix Kitten, Evasive Serpens, Hazel Sandstorm, EUROPIUM, ITG13, Earth Simnavaz, Crambus, TA452
Contributors: Robert Falcone; Bryan Lee; Dragos Threat Intelligence; Jaesang Oh, KC7 Foundation
Version: 5.0
Created: 14 December 2017
Last Modified: 16 January 2025

Associated Group Descriptions

Name Description
COBALT GYPSY

[8]

IRN2

[9]

APT34

This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.[7][1][10]

Helix Kitten

[7][9]

Evasive Serpens

[6]

Hazel Sandstorm

[11]

EUROPIUM

[11]

ITG13

[12]

Earth Simnavaz

[13]

Crambus

[14]

TA452

[15]

Campaigns

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

OilRig has run net user, net user /domain, net group "domain admins" /domain, and net group "Exchange Trusted Subsystem" /domain to get account listings on a victim.[4]

.002 Account Discovery: Domain Account

OilRig has run net user, net user /domain, net group "domain admins" /domain, and net group "Exchange Trusted Subsystem" /domain to get account listings on a victim.[4]

Enterprise T1583 .001 Acquire Infrastructure: Domains

OilRig has set up fake VPN portals, conference sign ups, and job application websites to target victims.[3]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

OilRig has used HTTP for C2.[6][17][18]

During Outer Space, OilRig used HTTP to communicate between installed backdoors and compromised servers including via the Microsoft Exchange Web Services API.[16]

During Juicy Mix, OilRig used a VBS script to send POST requests to register installed malware with C2.[16]

.004 Application Layer Protocol: DNS

OilRig has used DNS for C2 including the publicly available requestbin.net tunneling service.[6][17][18][10]

Enterprise T1119 Automated Collection

OilRig has used automated collection.[6]

Enterprise T1217 Browser Information Discovery

During Outer Space, OilRig used a Chrome data dumper named MKG.[16]

During Juicy Mix, OilRig used the CDumper (Chrome browser) and EDumper (Edge browser) data stealers to collect cookies, browsing history, and credentials.[16]

Enterprise T1110 Brute Force

OilRig has used brute force techniques to obtain credentials.[17][12]

Enterprise T1115 Clipboard Data

OilRig has used infostealer tools to copy clipboard data.[14]

Enterprise T1059 Command and Scripting Interpreter

OilRig has used various types of scripting for execution.[1][19][20][7][21]

.001 PowerShell

OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents.[1][22][9][13]

During Juicy Mix, OilRig used a PowerShell script to steal credentials.[16]

.003 Windows Command Shell

OilRig has used macros to deliver malware such as QUADAGENT and OopsIE.[1][19][20][7][21] OilRig has used batch scripts.[1][19][20][7][21]

.005 Visual Basic

OilRig has used VBScript macros for execution on compromised hosts.[10]

During Outer Space, OilRig used VBS droppers to deploy malware.[16]

During Juicy Mix, OilRig used VBS droppers to deliver and establish persistence for the Mango backdoor.[16]

Enterprise T1586 .002 Compromise Accounts: Email Accounts

OilRig has compromised email accounts to send phishing emails.[3]

Enterprise T1584 .004 Compromise Infrastructure: Server

During Outer Space, OilRig compromised an Israeli human resources site to use as a C2 server.[16]

During Juicy Mix, OilRig compromised an Israeli job portal to use for a C2 server.[16]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

OilRig has used a compromised Domain Controller to create a service on a remote host.[14]

Enterprise T1555 Credentials from Password Stores

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[6][17][23][18]

.003 Credentials from Web Browsers

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[6][17][23][18] OilRig has also used tool named PICKPOCKET to dump passwords from web browsers.[18]

During Juicy Mix, OilRig used the CDumper (Chrome browser) and EDumper (Edge browser) to collect credentials.[16]

.004 Windows Credential Manager

OilRig has used credential dumping tool named VALUEVAULT to steal credentials from the Windows Credential Manager.[18]

During Juicy Mix, OilRig used a Windows Credential Manager stealer for credential access.[16]

Enterprise T1132 .001 Data Encoding: Standard Encoding

During Juicy Mix, OilRig used a VBS script to send the Base64-encoded name of the compromised computer to C2.[16]

Enterprise T1005 Data from Local System

OilRig has used PowerShell to upload files from compromised systems.[13]

Enterprise T1025 Data from Removable Media

OilRig has used Wireshark’s usbcapcmd utility to capture USB traffic.[14]

Enterprise T1074 .001 Data Staged: Local Data Staging

During Juicy Mix, OilRig used browser data and credential stealer tools to stage stolen files named Cupdate, Eupdate, and IUpdate in the %TEMP% directory.[16]

Enterprise T1140 Deobfuscate/Decode Files or Information

A OilRig macro has run a PowerShell command to decode file contents. OilRig has also used certutil to decode base64-encoded files on victims.[1][22][20][24]

During Juicy Mix, OilRig used a script to concatenate and deobfuscate encoded strings in Mango.[16]

Enterprise T1587 .001 Develop Capabilities: Malware

OilRig actively developed and used a series of downloaders during 2022.[25]

For Outer Space, OilRig created new implants including the Solar backdoor.[16]

For Juicy Mix, OilRig improved on Solar by developing the Mango backdoor.[16]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

OilRig used the PowerExchange utility and other tools to create tunnels to C2 servers.[17]

Enterprise T1585 .003 Establish Accounts: Cloud Accounts

During Outer Space, OilRig created M365 email accounts to be used as part of C2.[16]

Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

OilRig has exfiltrated data via Microsoft Exchange and over FTP separately from its primary C2 channel over DNS.[5][13]

Enterprise T1203 Exploitation for Client Execution

OilRig has exploited CVE-2024-30088 to run arbitrary code in the context of SYSTEM.[13]

Enterprise T1068 Exploitation for Privilege Escalation

OilRig has exploited the Windows Kernel Elevation of Privilege vulnerability, CVE-2024-30088.[13]

Enterprise T1133 External Remote Services

OilRig uses remote services such as VPN, Citrix, or OWA to persist in an environment.[17]

Enterprise T1008 Fallback Channels

OilRig malware ISMAgent falls back to its DNS tunneling mechanism if it is unable to reach the C2 server over HTTP.[19]

Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

OilRig has modified Windows firewall rules to enable remote access.[14]

Enterprise T1070 .004 Indicator Removal: File Deletion

OilRig has deleted files associated with their payload after execution.[1][20]

Enterprise T1105 Ingress Tool Transfer

OilRig had downloaded remote files onto victim infrastructure.[1][13]

During Outer Space, OilRig downloaded additional tools to comrpomised infrastructure.[16]

Enterprise T1056 .001 Input Capture: Keylogging

OilRig has employed keyloggers including KEYPUNCH and LONGWATCH.[17][18][14]

Enterprise T1036 Masquerading

OilRig has used .doc file extensions to mask malicious executables.[10]

.005 Match Legitimate Resource Name or Location

OilRig has named a downloaded copy of the Plink tunneling utility as \ProgramData\Adobe.exe.[14]

Enterprise T1556 .002 Modify Authentication Process: Password Filter DLL

OilRig has registered a password filter DLL in order to drop malware.[13]

Enterprise T1112 Modify Registry

OilRig has used reg.exe to modify system configuration.[14][13]

Enterprise T1046 Network Service Discovery

OilRig has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning.[17]

Enterprise T1027 .005 Obfuscated Files or Information: Indicator Removal from Tools

OilRig has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion.[2][21]

.013 Obfuscated Files or Information: Encrypted/Encoded File

OilRig has encrypted and encoded data in its malware, including by using base64.[1][7][6][9][21]

During Outer Space, OilRig deployed VBS droppers with obfuscated strings.[16]

Enterprise T1588 .002 Obtain Capabilities: Tool

OilRig has made use of the publicly available tools including Plink and Mimikatz.[14][13]

.003 Obtain Capabilities: Code Signing Certificates

OilRig has obtained stolen code signing certificates to digitally sign malware.[3]

Enterprise T1137 .004 Office Application Startup: Outlook Home Page

OilRig has abused the Outlook Home Page feature for persistence. OilRig has also used CVE-2017-11774 to roll back the initial patch designed to protect against Home Page abuse.[26]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

OilRig has used credential dumping tools such as Mimikatz to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[6][17][23][18]

.004 OS Credential Dumping: LSA Secrets

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[6][17][23][18]

.005 OS Credential Dumping: Cached Domain Credentials

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[6][17][23][18]

Enterprise T1201 Password Policy Discovery

OilRig has used net.exe in a script with net accounts /domain to find the password policy of a domain.[27]

Enterprise T1120 Peripheral Device Discovery

OilRig has used tools to identify if a mouse is connected to a targeted system.[10]

Enterprise T1069 .001 Permission Groups Discovery: Local Groups

OilRig has used net localgroup administrators to find local administrators on compromised systems.[4][14]

.002 Permission Groups Discovery: Domain Groups

OilRig has used net group /domain, net group "domain admins" /domain, and net group "Exchange Trusted Subsystem" /domain to find domain group permission settings.[4]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

OilRig has sent spearphising emails with malicious attachments to potential victims using compromised and/or spoofed email accounts.[20][7][9][3]

.002 Phishing: Spearphishing Link

OilRig has sent spearphising emails with malicious links to potential victims.[20][3]

.003 Phishing: Spearphishing via Service

OilRig has used LinkedIn to send spearphishing links.[18]

Enterprise T1057 Process Discovery

OilRig has run tasklist on a victim's machine and used infostealers to capture processes.[4][14]

Enterprise T1572 Protocol Tunneling

OilRig has used the Plink utility and other tools to create tunnels to C2 servers.[6][17][18][14]

Enterprise T1012 Query Registry

OilRig has used reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" on a victim to query the Registry.[4]

Enterprise T1219 Remote Access Tools

OilRig has incorporated remote monitoring and management (RMM) tools into their operations including ngrok.[13]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

OilRig has used Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment.[6][17][24][14][14]

.004 Remote Services: SSH

OilRig has used Putty to access compromised systems.[6]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

OilRig has created scheduled tasks that run a VBScript to execute a payload on victim machines.[20][7][18][10]

During Juicy Mix, OilRig used VBS droppers to schedule tasks for persistence.[16]

Enterprise T1113 Screen Capture

OilRig has a tool called CANDYKING to capture a screenshot of user's desktop.[17]

Enterprise T1505 .003 Server Software Component: Web Shell

OilRig has used web shells, often to maintain access to a victim network.[6][17][24][13]

Enterprise T1518 Software Discovery

During Juicy Mix, OilRig used browser data dumper tools to create a list of users with Google Chrome installed.[16]

Enterprise T1608 .001 Stage Capabilities: Upload Malware

OilRig has hosted malware on fake websites designed to target specific audiences.[3]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

OilRig has signed its malware with stolen certificates.[3]

Enterprise T1195 Supply Chain Compromise

OilRig has leveraged compromised organizations to conduct supply chain attacks on government entities.[13]

Enterprise T1218 .001 System Binary Proxy Execution: Compiled HTML File

OilRig has used a CHM payload to load and execute another malicious file once delivered to a victim.[4]

Enterprise T1082 System Information Discovery

OilRig has run hostname and systeminfo on a victim.[4][5][18][10][14]

During Juicy Mix, OilRig used a script to send the name of the compromised host via HTTP POST to register it with C2.[16]

Enterprise T1016 System Network Configuration Discovery

OilRig has run ipconfig /all on a victim.[4][5]

Enterprise T1049 System Network Connections Discovery

OilRig has used netstat -an on a victim to get a listing of network connections.[4]

Enterprise T1033 System Owner/User Discovery

OilRig has run whoami on a victim.[4][5][10]

Enterprise T1007 System Service Discovery

OilRig has used sc query on a victim to gather information about services.[4]

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[6][17][23][18]

Enterprise T1204 .001 User Execution: Malicious Link

OilRig has delivered malicious links to achieve execution on the target system.[20][7][9][3]

.002 User Execution: Malicious File

OilRig has delivered macro-enabled documents that required targets to click the "enable content" button to execute the payload on the system.[20][7][9][10][3]

Enterprise T1078 Valid Accounts

OilRig has used compromised credentials to access other systems on a victim network.[6][17][24][12]

.002 Domain Accounts

OilRig has used an exfiltration tool named STEALHOOK to retreive valid domain credentials.[13]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

OilRig has used macros to verify if a mouse is connected to a compromised machine.[10]

Enterprise T1047 Windows Management Instrumentation

OilRig has used WMI for execution.[17][14]

ICS T0817 Drive-by Compromise

OilRig has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks. [28]

ICS T0853 Scripting

OilRig has embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script.[29]

ICS T0865 Spearphishing Attachment

OilRig used spearphishing emails with malicious Microsoft Excel spreadsheet attachments. [29]

ICS T0869 Standard Application Layer Protocol

OilRig communicated with its command and control using HTTP requests. [29]

ICS T0859 Valid Accounts

OilRig utilized stolen credentials to gain access to victim machines.[30]

Software

ID Name References Techniques
S0360 BONDUPDATER [1] [31] Application Layer Protocol: DNS, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Dynamic Resolution: Domain Generation Algorithms, Hide Artifacts: Hidden Window, Ingress Tool Transfer, Scheduled Task/Job: Scheduled Task
S0160 certutil [1][14] Archive Collected Data: Archive via Utility, Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Subvert Trust Controls: Install Root Certificate
S0095 ftp [5] Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, Lateral Tool Transfer
S0170 Helminth [4][17][9] Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Automated Collection, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Clipboard Data, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Data Staged: Local Data Staging, Data Transfer Size Limits, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Obfuscated Files or Information: Encrypted/Encoded File, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Process Discovery, Scheduled Task/Job: Scheduled Task, Subvert Trust Controls: Code Signing
S0100 ipconfig [4] System Network Configuration Discovery
S0189 ISMInjector [22] Deobfuscate/Decode Files or Information, Obfuscated Files or Information, Process Injection: Process Hollowing, Scheduled Task/Job: Scheduled Task
S0349 LaZagne [23] Credentials from Password Stores: Windows Credential Manager, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Keychain, OS Credential Dumping: LSA Secrets, OS Credential Dumping: /etc/passwd and /etc/shadow, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Cached Domain Credentials, OS Credential Dumping: Proc Filesystem, Unsecured Credentials: Credentials In Files
S1169 Mango [16] Application Layer Protocol: Web Protocols, Data Encoding: Standard Encoding, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Native API, Obfuscated Files or Information: Encrypted/Encoded File, Scheduled Task/Job: Scheduled Task, System Information Discovery, System Owner/User Discovery, User Execution: Malicious File
S0002 Mimikatz [6][17][23][14] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0039 Net [4][1][14] Account Discovery: Domain Account, Account Discovery: Local Account, Account Manipulation: Additional Local or Domain Groups, Create Account: Local Account, Create Account: Domain Account, Indicator Removal: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0104 netstat [4][1][14] System Network Connections Discovery
S0508 ngrok [13] Dynamic Resolution: Domain Generation Algorithms, Exfiltration Over Web Service, Protocol Tunneling, Proxy, Web Service
S1170 ODAgent [25] Command and Scripting Interpreter: Windows Command Shell, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Cloud Storage, File and Directory Discovery, Indicator Removal: File Deletion, Ingress Tool Transfer, Native API, Web Service: Bidirectional Communication
S1172 OilBooster [25] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Fallback Channels, Hide Artifacts: Hidden Window, Ingress Tool Transfer, Inter-Process Communication, Native API, System Information Discovery, System Owner/User Discovery, Web Service: Bidirectional Communication
S1171 OilCheck [25] Exfiltration Over Web Service, Ingress Tool Transfer, Web Service: Bidirectional Communication
S0264 OopsIE [20] Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Custom Method, Archive Collected Data: Archive via Utility, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Visual Basic, Data Encoding: Standard Encoding, Data Staged: Local Data Staging, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, Indicator Removal: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information, Scheduled Task/Job: Scheduled Task, System Information Discovery, System Time Discovery, Virtualization/Sandbox Evasion: System Checks, Windows Management Instrumentation
S1173 PowerExchange [14] Application Layer Protocol: Mail Protocols, Command and Scripting Interpreter: PowerShell, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, Ingress Tool Transfer
S0184 POWRUNER [1] Account Discovery: Domain Account, Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Data Encoding: Standard Encoding, File and Directory Discovery, Ingress Tool Transfer, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Query Registry, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, Windows Management Instrumentation
S0029 PsExec [17] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0269 QUADAGENT [7] Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Fallback Channels, Indicator Removal: File Deletion, Masquerading: Match Legitimate Resource Name or Location, Modify Registry, Obfuscated Files or Information: Command Obfuscation, Obfuscated Files or Information: Fileless Storage, Query Registry, Scheduled Task/Job: Scheduled Task, System Network Configuration Discovery, System Owner/User Discovery
S0495 RDAT [32] Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Application Layer Protocol: Mail Protocols, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data Encoding: Non-Standard Encoding, Data Obfuscation: Steganography, Data Obfuscation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Fallback Channels, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading: Masquerade Task or Service, Masquerading: Match Legitimate Resource Name or Location, Obfuscated Files or Information: Steganography, Screen Capture
S0075 Reg [4][1] Modify Registry, Query Registry, Unsecured Credentials: Credentials in Registry
S0258 RGDoor [33] Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Custom Method, Command and Scripting Interpreter: Windows Command Shell, Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Server Software Component: IIS Components, System Owner/User Discovery
S1168 SampleCheck5000 [16] Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Command and Scripting Interpreter: Windows Command Shell, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Exfiltration Over Web Service, Ingress Tool Transfer, System Information Discovery, Web Service: Bidirectional Communication
S0185 SEASHARPEE [17] Command and Scripting Interpreter: Windows Command Shell, Indicator Removal: Timestomp, Ingress Tool Transfer, Server Software Component: Web Shell
S0610 SideTwist [10] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Fallback Channels, File and Directory Discovery, Ingress Tool Transfer, Native API, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S1166 Solar [16] Automated Exfiltration, Data Encoding: Standard Encoding, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Indicator Removal: File Deletion, Ingress Tool Transfer, Scheduled Task/Job: Scheduled Task, System Information Discovery
S0096 Systeminfo [1] System Information Discovery
S0057 Tasklist [4][1] Process Discovery, Software Discovery: Security Software Discovery, System Service Discovery
S1151 ZeroCleare OilRig collaborated on the destructive portion of the ZeroCleare attack.[12] Command and Scripting Interpreter, Command and Scripting Interpreter: PowerShell, Disk Wipe: Disk Structure Wipe, Exploitation for Privilege Escalation, Indicator Removal: File Deletion, Native API, Subvert Trust Controls: Code Signing, System Information Discovery

References

  1. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  2. Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.
  3. ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.
  4. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  5. Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.
  6. Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.
  7. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  8. Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021.
  9. Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.
  10. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
  11. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  12. Kessem, L. (2019, December 4). New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East. Retrieved September 4, 2024.
  13. Fahmy, M. et al. (2024, October 11). Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East. Retrieved November 27, 2024.
  14. Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024.
  15. Proofpoint. (2020, January 10). Iranian State-Sponsored and Aligned Attacks: What You Need to Know and Steps to Protect Yourself. Retrieved January 16, 2025.
  16. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024.
  17. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  1. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
  2. Falcone, R. and Lee, B. (2017, July 27). OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group. Retrieved January 8, 2018.
  3. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  4. Falcone, R., Wilhoit, K.. (2018, November 16). Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery. Retrieved April 23, 2019.
  5. Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018.
  6. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved November 17, 2024.
  7. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  8. Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024.
  9. McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020.
  10. Singh, S., Yin, H. (2016, May 22). https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html. Retrieved November 17, 2024.
  11. Eduard Kovacs 2018, May 21 Group linked to Shamoon attacks targeting ICS networks in Middle East and UK Retrieved September 12, 2024.
  12. Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19
  13. Dragos Chrysene Retrieved. 2019/10/27
  14. Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.
  15. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  16. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.