1. Home
  2. Software
  3. OilBooster

OilBooster

OilBooster is a downloader written in Microsoft Visual C/C++ that has been used by OilRig since at least 2022 including against target organizations in Israel to download and execute files and for exfiltration.[1]

ID: S1172
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 26 November 2024
Last Modified: 27 November 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

OilBooster can send HTTP GET, POST, PUT, and DELETE requests to the Microsoft Graph API over port 443 for C2 communication.[1]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

OilBooster has the ability to execute shell commands and exfiltrate the results.[1]
Enterprise T1074 .001 Data Staged: Local Data Staging

OilBooster can stage files in the tempFiles directory for exfiltration.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

OilBooster can Base64-decode and XOR-decrypt C2 commands taken from JSON files.[1]
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

OilBooster can use the OpenSSL library to encrypt C2 communications.[1]
Enterprise T1041 Exfiltration Over C2 Channel

OilBooster can use an actor-controlled OneDrive account for C2 communication and exfiltration.[1]
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

OilBooster can exfiltrate files to an actor-controlled OneDrive account via the Microsoft Graph API.[1]
Enterprise T1008 Fallback Channels

OilBooster can use a backup channel to request a new refresh token from its C2 server after 10 consecutive unsuccessful connections to the primary OneDrive C2 server.[1]
Enterprise T1564 .003 Hide Artifacts: Hidden Window

OilBooster can hide its console window upon execution through the ShowWindow API. [1]
Enterprise T1105 Ingress Tool Transfer

OilBooster can download and execute files from an actor-controlled OneDrive account.[1]
Enterprise T1559 Inter-Process Communication

OilBooster can read the results of command line execution via an unnamed pipe connected to the process.[1]
Enterprise T1106 Native API

OilBooster has used the ShowWindow and CreateProcessW APIs.[1]
Enterprise T1082 System Information Discovery

OilBooster can identify the compromised system's hostname which is used to create a unique identifier.[1]
Enterprise T1033 System Owner/User Discovery

OilBooster can identify the compromised system's username which is then used as part of a unique identifier.[1]
Enterprise T1102 .002 Web Service: Bidirectional Communication

OilBooster uses the Microsoft Graph API to connect to an actor-controlled OneDrive account to download and execute files and shell commands, and to create directories to share exfiltrated data.[1]

Groups That Use This Software

ID Name References
G0049 OilRig

[1]

References

  1. Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024.