Group: OilRig

From enterprise
Jump to: navigation, search
ID G0049
Aliases OilRig
Contributors Robert FalconeBryan Lee

OilRig is a threat group with suspected Iranian origins that has targeted Middle Eastern and international victims since at least 2015. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets.12345 Reporting on OilRig may loosely overlap with APT34, but may not wholly align due to companies tracking groups in different ways.6

Alias Descriptions

Techniques Used

  • Indicator Removal from Tools - OilRig has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion.1
  • Account Discovery - OilRig has run net user, net user /domain, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to get account listings on a victim.3
  • Permission Groups Discovery - OilRig has used net group /domain, net localgroup administrators, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to find group permission settings on a victim.3
  • Query Registry - OilRig has used reg query “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” on a victim to query the Registry.3
  • Fallback Channels - OilRig malware ISMAgent falls back to its DNS tunneling mechanism if it is unable to reach the C2 server over HTTP.7
  • Redundant Access - OilRig has used an IIS backdoor (RGDoor) via Web shell to establish redundant access. The group has also used harvested credentials to gain access to Internet-accessible resources such as Outlook Web Access, which could be used for redundant access.5
  • Web Shell - OilRig has installed Web shells onto victim Web servers.5
  • File Deletion - OilRig's TwoFace Web shell uses del to delete a text file of passwords after reading it.8
  • Valid Accounts - OilRig has used compromised credentials to access other systems on a victim network.5
  • Credential Dumping - OilRig has used credential dumping tools to steal credentials to accounts logged into the compromised system.5
  • PowerShell - A OilRig macro has run a PowerShell command to decode file contents.9
  • Scripting - OilRig has used various types of scripting for execution, including.7