1. Home
  2. Software
  3. OilCheck

OilCheck

OilCheck is a C#/.NET downloader that has been used by OilRig since at least 2022 including against targets in Israel. OilCheck uses draft messages created in a shared email account for C2 communication.[1]

ID: S1171
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 26 November 2024
Last Modified: 27 November 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1567 Exfiltration Over Web Service

OilCheck can upload documents from compromised hosts to a shared Microsoft Office 365 Outlook email account for exfiltration.[1]
Enterprise T1105 Ingress Tool Transfer

OilCheck can download staged payloads from an actor-controlled infrastructure.[1]
Enterprise T1102 .002 Web Service: Bidirectional Communication

OilCheck can use a REST-based Microsoft Graph API to access draft messages in a shared Microsoft Office 365 Outlook email account used for C2 communication.[1]

Groups That Use This Software

ID Name References
G0049 OilRig

[1]

References

  1. Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024.