OilRig
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. [1] [2] [3] [4] [5] [6][7] This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.
Associated Group Descriptions
Name | Description |
---|---|
IRN2 | |
HELIX KITTEN | |
APT34 |
This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity. [7] [6] |
Techniques Used
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .002 | Account Discovery: Domain Account |
OilRig has run |
.001 | Account Discovery: Local Account |
OilRig has run |
||
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
.004 | Application Layer Protocol: DNS | |||
Enterprise | T1119 | Automated Collection | ||
Enterprise | T1110 | Brute Force |
OilRig has used brute force techniques to obtain credentials.[9] |
|
Enterprise | T1059 | Command and Scripting Interpreter |
OilRig has used various types of scripting for execution.[6][11][12][7][13] |
|
.001 | PowerShell |
OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents.[6][14][8] |
||
.003 | Windows Command Shell |
OilRig has used macros to deliver malware such as QUADAGENT and OopsIE.[6][11][12][7][13] OilRig has used batch scripts.[6][11][12][7][13] |
||
Enterprise | T1555 | Credentials from Password Stores |
OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[5][9][15][10] |
|
.003 | Credentials from Web Browsers |
OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[5][9][15][10] OilRig has also used tools named VALUEVAULT and PICKPOCKET to dump passwords from web browsers.[10] |
||
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
A OilRig macro has run a PowerShell command to decode file contents. OilRig has also used certutil to decode base64-encoded files on victims.[6][14][12] |
|
Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
OilRig used the Plink utility and other tools to create tunnels to C2 servers.[9] |
Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
OilRig has exfiltrated data over FTP separately from its primary C2 channel over DNS.[4] |
Enterprise | T1133 | External Remote Services |
OilRig uses remote services such as VPN, Citrix, or OWA to persist in an environment.[9] |
|
Enterprise | T1008 | Fallback Channels |
OilRig malware ISMAgent falls back to its DNS tunneling mechanism if it is unable to reach the C2 server over HTTP.[11] |
|
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
OilRig has deleted files associated with their payload after execution.[6][12] |
Enterprise | T1105 | Ingress Tool Transfer | ||
Enterprise | T1056 | .001 | Input Capture: Keylogging |
OilRig has used keylogging tools called KEYPUNCH and LONGWATCH.[9][10] |
Enterprise | T1046 | Network Service Scanning |
OilRig has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning.[9] |
|
Enterprise | T1027 | Obfuscated Files or Information |
OilRig has encrypted and encoded data in its malware, including by using base64.[6][7][5][8][13] |
|
.005 | Indicator Removal from Tools |
OilRig has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion.[1][13] |
||
Enterprise | T1137 | .004 | Office Application Startup: Outlook Home Page |
OilRig has abused the Outlook Home Page feature for persistence. OilRig has also used CVE-2017-11774 to roll back the initial patch designed to protect against Home Page abuse.[16] |
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
OilRig has used credential dumping tools such as Mimikatz to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[5][9][15][10] |
.004 | OS Credential Dumping: LSA Secrets |
OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[5][9][15][10] |
||
.005 | OS Credential Dumping: Cached Domain Credentials |
OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[5][9][15][10] |
||
Enterprise | T1201 | Password Policy Discovery |
OilRig has used net.exe in a script with |
|
Enterprise | T1069 | .001 | Permission Groups Discovery: Local Groups |
OilRig has used |
.002 | Permission Groups Discovery: Domain Groups |
OilRig has used |
||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
OilRig has sent spearphising emails with malicious attachments to potential victims using compromised and/or spoofed email accounts.[12][7][8] |
.002 | Phishing: Spearphishing Link |
OilRig has sent spearphising emails with malicious links to potential victims.[12] |
||
.003 | Phishing: Spearphishing via Service | |||
Enterprise | T1057 | Process Discovery | ||
Enterprise | T1572 | Protocol Tunneling |
OilRig has used the Plink utility and other tools to create tunnels to C2 servers.[5][9][10] |
|
Enterprise | T1012 | Query Registry |
OilRig has used |
|
Enterprise | T1021 | .004 | Remote Services: SSH | |
.001 | Remote Services: Remote Desktop Protocol |
OilRig has used Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment.[5][9] |
||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
OilRig has created scheduled tasks that run a VBScript to execute a payload on victim machines.[12][7][10] |
Enterprise | T1113 | Screen Capture |
OilRig has a tool called CANDYKING to capture a screenshot of user's desktop.[9] |
|
Enterprise | T1505 | .003 | Server Software Component: Web Shell |
OilRig has used Web shells, often to maintain access to a victim network.[5][9] |
Enterprise | T1218 | .001 | Signed Binary Proxy Execution: Compiled HTML File |
OilRig has used a CHM payload to load and execute another malicious file once delivered to a victim.[3] |
Enterprise | T1082 | System Information Discovery |
OilRig has run |
|
Enterprise | T1016 | System Network Configuration Discovery | ||
Enterprise | T1049 | System Network Connections Discovery |
OilRig has used |
|
Enterprise | T1033 | System Owner/User Discovery | ||
Enterprise | T1007 | System Service Discovery |
OilRig has used |
|
Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[5][9][15][10] |
Enterprise | T1204 | .002 | User Execution: Malicious File |
OilRig has delivered macro-enabled documents that required targets to click the "enable content" button to execute the payload on the system.[12][7][8] |
.001 | User Execution: Malicious Link |
OilRig has delivered malicious links to achieve execution on the target system.[12][7][8] |
||
Enterprise | T1078 | Valid Accounts |
OilRig has used compromised credentials to access other systems on a victim network.[5][9] |
|
Enterprise | T1047 | Windows Management Instrumentation |
Software
References
- Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.
- ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.
- Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
- Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
- Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
- Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.
- Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
- Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
- Falcone, R. and Lee, B. (2017, July 27). OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group. Retrieved January 8, 2018.
- Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
- Falcone, R., Wilhoit, K.. (2018, November 16). Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery. Retrieved April 23, 2019.
- Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018.
- Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
- McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020.
- Singh, S., Yin, H. (2016, May 22). https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html. Retrieved April 5, 2018.
- Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.
- Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
- Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.