OilRig

OilRig is a threat group with suspected Iranian origins that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. [1] [2] [3] [4] [5] [6] This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.

ID: G0049
Aliases: OilRig, Helix Kitten, APT34
Contributors: Robert Falcone; Bryan Lee

Version: 1.0

Alias Descriptions

NameDescription
OilRig[1] [2] [3] [4] [5] [11]
Helix Kitten[11]
APT34This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity. [11] [6]

Techniques Used

DomainIDNameUse
EnterpriseT1087Account DiscoveryOilRig has run net user, net user /domain, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to get account listings on a victim.[3]
EnterpriseT1119Automated CollectionOilRig has used automated collection.[5]
EnterpriseT1110Brute ForceOilRig has used brute force techniques to obtain credentials.[7]
EnterpriseT1059Command-Line InterfaceOilRig has used the command-line interface for execution.[6][8][5][7]
EnterpriseT1223Compiled HTML FileOilRig has used a CHM payload to load and execute another malicious file once delivered to a victim.[3]
EnterpriseT1003Credential DumpingOilRig has used credential dumping tools such as Mimikatz and Lazagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[5][7]
EnterpriseT1094Custom Command and Control ProtocolOilRig has used custom DNS Tunneling protocols for C2.[5]
EnterpriseT1140Deobfuscate/Decode Files or InformationA OilRig macro has run a PowerShell command to decode file contents. OilRig has also used certutil to decode base64-encoded files on victims.[6][9][8]
EnterpriseT1048Exfiltration Over Alternative ProtocolOilRig has exfiltrated data over FTP separately from its primary C2 channel over DNS.[4]
EnterpriseT1133External Remote ServicesOilRig uses remote services such as VPN, Citrix, or OWA to persist in an environment.[7]
EnterpriseT1008Fallback ChannelsOilRig malware ISMAgent falls back to its DNS tunneling mechanism if it is unable to reach the C2 server over HTTP.[10]
EnterpriseT1107File DeletionOilRig has deleted files associated with their payload after execution.[6][8]
EnterpriseT1066Indicator Removal from ToolsOilRig has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion.[1]
EnterpriseT1056Input CaptureOilRig has used a keylogging tool called KEYPUNCH.[7]
EnterpriseT1046Network Service ScanningOilRig has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning.[7]
EnterpriseT1027Obfuscated Files or InformationOilRig has encrypted and encoded data in its malware, including by using base64.[6][11][5]
EnterpriseT1201Password Policy DiscoveryOilRig has used net.exe in a script with net accounts /domain to find the password policy of a domain.[12]
EnterpriseT1069Permission Groups DiscoveryOilRig has used net group /domain, net localgroup administrators, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to find group permission settings on a victim.[3]
EnterpriseT1086PowerShellOilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents.[6][9]
EnterpriseT1057Process DiscoveryOilRig has run tasklist on a victim's machine.[3]
EnterpriseT1012Query RegistryOilRig has used reg query “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” on a victim to query the Registry.[3]
EnterpriseT1108Redundant AccessOilRig has used RGDoor via Web shell to establish redundant access. The group has also used harvested credentials to gain access to Internet-accessible resources such as Outlook Web Access, which could be used for redundant access.[5]
EnterpriseT1076Remote Desktop ProtocolOilRig has used Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment.[5][7]
EnterpriseT1105Remote File CopyOilRig can download remote files onto victims.[6]
EnterpriseT1021Remote ServicesOilRig has used Putty to access compromised systems.[5]
EnterpriseT1053Scheduled TaskOilRig has created scheduled tasks that run a VBScript to execute a payload on victim machines.[8][11]
EnterpriseT1113Screen CaptureOilRig has a tool called CANDYKING to capture a screenshot of user's desktop.[7]
EnterpriseT1064ScriptingOilRig has used various types of scripting for execution, including .bat and .vbs scripts. The group has also used macros to deliver malware such as QUADAGENT and OopsIE.[6][10][8][11]
EnterpriseT1193Spearphishing AttachmentOilRig has sent spearphising emails with malicious attachments to potential victims using compromised and/or spoofed email accounts.[8][11]
EnterpriseT1192Spearphishing LinkOilRig has sent spearphising emails with malicious links to potential victims.[8]
EnterpriseT1071Standard Application Layer ProtocolOilRig has used HTTP and DNS for C2. The group has also used the Plink utility and other tools to create tunnels to C2 servers.[5][7]
EnterpriseT1032Standard Cryptographic ProtocolOilRig used the Plink utility and other tools to create tunnels to C2 servers.[7]
EnterpriseT1082System Information DiscoveryOilRig has run hostname and systeminfo on a victim.[3][4]
EnterpriseT1016System Network Configuration DiscoveryOilRig has run ipconfig /all on a victim.[3][4]
EnterpriseT1049System Network Connections DiscoveryOilRig has used netstat -an on a victim to get a listing of network connections.[3]
EnterpriseT1033System Owner/User DiscoveryOilRig has run whoami on a victim.[3][4]
EnterpriseT1007System Service DiscoveryOilRig has used sc query on a victim to gather information about services.[3]
EnterpriseT1204User ExecutionOilRig has delivered malicious links and macro-enabled documents that required targets to click the "enable content" button to execute the payload on the system.[8][11]
EnterpriseT1078Valid AccountsOilRig has used compromised credentials to access other systems on a victim network.[5][7]
EnterpriseT1100Web ShellOilRig has used Web shells, often to maintain access to a victim network.[5][7]
EnterpriseT1047Windows Management InstrumentationOilRig has used WMI for execution.[7]

Software

IDNameTechniques
S0160certutilDeobfuscate/Decode Files or Information, Install Root Certificate, Remote File Copy
S0095FTPCommonly Used Port, Exfiltration Over Alternative Protocol
S0170HelminthAutomated Collection, Clipboard Data, Code Signing, Command-Line Interface, Data Encoding, Data Staged, Data Transfer Size Limits, Input Capture, Obfuscated Files or Information, Permission Groups Discovery, PowerShell, Process Discovery, Registry Run Keys / Startup Folder, Remote File Copy, Scheduled Task, Scripting, Shortcut Modification, Standard Application Layer Protocol, Standard Cryptographic Protocol
S0100ipconfigSystem Network Configuration Discovery
S0189ISMInjectorDeobfuscate/Decode Files or Information, Obfuscated Files or Information, Process Hollowing, Scheduled Task
S0002MimikatzAccount Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0039NetAccount Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0104netstatSystem Network Connections Discovery
S0264OopsIECommand-Line Interface, Data Compressed, Data Encoding, Data Staged, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Exfiltration Over Command and Control Channel, File Deletion, Obfuscated Files or Information, Remote File Copy, Scheduled Task, Scripting, Security Software Discovery, Software Packing, Standard Application Layer Protocol, System Information Discovery, System Time Discovery, Windows Management Instrumentation
S0184POWRUNERAccount Discovery, Command-Line Interface, Data Encoding, File and Directory Discovery, Permission Groups Discovery, PowerShell, Process Discovery, Query Registry, Remote File Copy, Scheduled Task, Screen Capture, Security Software Discovery, Standard Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, Windows Management Instrumentation
S0029PsExecService Execution, Windows Admin Shares
S0269QUADAGENTCommand-Line Interface, Data Obfuscation, Deobfuscate/Decode Files or Information, Fallback Channels, File Deletion, Masquerading, Modify Registry, Obfuscated Files or Information, PowerShell, Query Registry, Scheduled Task, Scripting, Standard Application Layer Protocol, System Network Configuration Discovery, System Owner/User Discovery
S0075RegCredentials in Registry, Modify Registry, Query Registry
S0258RGDoorCommand-Line Interface, Data Encrypted, Deobfuscate/Decode Files or Information, Remote File Copy, Standard Application Layer Protocol, System Owner/User Discovery
S0185SEASHARPEECommand-Line Interface, Remote File Copy, Timestomp, Web Shell
S0096SysteminfoSystem Information Discovery
S0057TasklistProcess Discovery, Security Software Discovery, System Service Discovery

References