Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа OilRig
Риски
Каталоги
MITRE ATT&CK
Преступная группа
OilRig
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

OilRig

OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: Unit 42 QUADAGENT July 2018)
ID: G0049
Associated Groups: Evasive Serpens, APT34, IRN2, Hazel Sandstorm, EUROPIUM, TA452, ITG13, COBALT GYPSY, Crambus, Earth Simnavaz, Helix Kitten
Version: 5.0
Created: 14 Dec 2017
Last Modified: 16 Jan 2025

Associated Group Descriptions
Name Description
Evasive Serpens (Citation: Unit42 OilRig Playbook 2023)
APT34 This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.(Citation: Unit 42 QUADAGENT July 2018)(Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021)
IRN2 (Citation: Crowdstrike Helix Kitten Nov 2018)
Hazel Sandstorm (Citation: Microsoft Threat Actor Naming July 2023)
EUROPIUM (Citation: Microsoft Threat Actor Naming July 2023)
TA452 (Citation: Proofpoint Iranian Aligned Attacks JAN 2020)
ITG13 (Citation: IBM ZeroCleare Wiper December 2019)
COBALT GYPSY (Citation: Secureworks COBALT GYPSY Threat Profile)
Crambus (Citation: Symantec Crambus OCT 2023)
Earth Simnavaz (Citation: Trend Micro Earth Simnavaz October 2024)
Helix Kitten (Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)

Techniques Used
Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

OilRig has run net user, net user /domain, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to get account listings on a victim.(Citation: Palo Alto OilRig May 2016)
.002 Account Discovery: Domain Account

OilRig has run net user, net user /domain, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to get account listings on a victim.(Citation: Palo Alto OilRig May 2016)

Enterprise T1583 .001 Acquire Infrastructure: Domains

OilRig has set up fake VPN portals, conference sign ups, and job application websites to target victims.(Citation: ClearSky OilRig Jan 2017)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

OilRig has used HTTP for C2.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT34 July 2019)
.004 Application Layer Protocol: DNS

OilRig has used DNS for C2 including the publicly available requestbin.net tunneling service.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT34 July 2019)(Citation: Check Point APT34 April 2021)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents.(Citation: FireEye APT34 Dec 2017)(Citation: OilRig New Delivery Oct 2017)(Citation: Crowdstrike Helix Kitten Nov 2018)(Citation: Trend Micro Earth Simnavaz October 2024)
.003 Command and Scripting Interpreter: Windows Command Shell

OilRig has used macros to deliver malware such as QUADAGENT and OopsIE.(Citation: FireEye APT34 Dec 2017)(Citation: OilRig ISMAgent July 2017)(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Unit42 OilRig Nov 2018) OilRig has used batch scripts.(Citation: FireEye APT34 Dec 2017)(Citation: OilRig ISMAgent July 2017)(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Unit42 OilRig Nov 2018)

.005 Command and Scripting Interpreter: Visual Basic

OilRig has used VBScript macros for execution on compromised hosts.(Citation: Check Point APT34 April 2021)

Enterprise T1586 .002 Compromise Accounts: Email Accounts

OilRig has compromised email accounts to send phishing emails.(Citation: ClearSky OilRig Jan 2017)
Enterprise T1543 .003 Create or Modify System Process: Windows Service

OilRig has used a compromised Domain Controller to create a service on a remote host.(Citation: Symantec Crambus OCT 2023)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT35 2018)(Citation: FireEye APT34 July 2019) OilRig has also used tool named PICKPOCKET to dump passwords from web browsers.(Citation: FireEye APT34 July 2019)
.004 Credentials from Password Stores: Windows Credential Manager

OilRig has used credential dumping tool named VALUEVAULT to steal credentials from the Windows Credential Manager.(Citation: FireEye APT34 July 2019)

Enterprise T1587 .001 Develop Capabilities: Malware

OilRig actively developed and used a series of downloaders during 2022.(Citation: ESET OilRig Downloaders DEC 2023)
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

OilRig used the PowerExchange utility and other tools to create tunnels to C2 servers.(Citation: FireEye APT34 Webinar Dec 2017)
Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

OilRig has exfiltrated data via Microsoft Exchange and over FTP separately from its primary C2 channel over DNS.(Citation: Palo Alto OilRig Oct 2016)(Citation: Trend Micro Earth Simnavaz October 2024)
Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

OilRig has modified Windows firewall rules to enable remote access.(Citation: Symantec Crambus OCT 2023)
Enterprise T1070 .004 Indicator Removal: File Deletion

OilRig has deleted files associated with their payload after execution.(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 OopsIE! Feb 2018)
Enterprise T1056 .001 Input Capture: Keylogging

OilRig has employed keyloggers including KEYPUNCH and LONGWATCH.(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT34 July 2019)(Citation: Symantec Crambus OCT 2023)

Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

OilRig has named a downloaded copy of the Plink tunneling utility as \ProgramData\Adobe.exe.(Citation: Symantec Crambus OCT 2023)
Enterprise T1556 .002 Modify Authentication Process: Password Filter DLL

OilRig has registered a password filter DLL in order to drop malware.(Citation: Trend Micro Earth Simnavaz October 2024)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

OilRig has used credential dumping tools such as Mimikatz to steal credentials to accounts logged into the compromised system and to Outlook Web Access.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT35 2018)(Citation: FireEye APT34 July 2019)
.004 OS Credential Dumping: LSA Secrets

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT35 2018)(Citation: FireEye APT34 July 2019)

.005 OS Credential Dumping: Cached Domain Credentials

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT35 2018)(Citation: FireEye APT34 July 2019)

Enterprise T1027 .005 Obfuscated Files or Information: Indicator Removal from Tools

OilRig has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion.(Citation: Palo Alto OilRig April 2017)(Citation: Unit42 OilRig Nov 2018)
.013 Obfuscated Files or Information: Encrypted/Encoded File

OilRig has encrypted and encoded data in its malware, including by using base64.(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Unit42 OilRig Playbook 2023)(Citation: Crowdstrike Helix Kitten Nov 2018)(Citation: Unit42 OilRig Nov 2018)

Enterprise T1588 .002 Obtain Capabilities: Tool

OilRig has made use of the publicly available tools including Plink and Mimikatz.(Citation: Symantec Crambus OCT 2023)(Citation: Trend Micro Earth Simnavaz October 2024)

.003 Obtain Capabilities: Code Signing Certificates

OilRig has obtained stolen code signing certificates to digitally sign malware.(Citation: ClearSky OilRig Jan 2017)

Enterprise T1137 .004 Office Application Startup: Outlook Home Page

OilRig has abused the Outlook Home Page feature for persistence. OilRig has also used CVE-2017-11774 to roll back the initial patch designed to protect against Home Page abuse.(Citation: FireEye Outlook Dec 2019)
Enterprise T1069 .001 Permission Groups Discovery: Local Groups

OilRig has used net localgroup administrators to find local administrators on compromised systems.(Citation: Palo Alto OilRig May 2016)(Citation: Symantec Crambus OCT 2023)

.002 Permission Groups Discovery: Domain Groups

OilRig has used net group /domain, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to find domain group permission settings.(Citation: Palo Alto OilRig May 2016)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

OilRig has sent spearphising emails with malicious attachments to potential victims using compromised and/or spoofed email accounts.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)(Citation: ClearSky OilRig Jan 2017)
.002 Phishing: Spearphishing Link

OilRig has sent spearphising emails with malicious links to potential victims.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: ClearSky OilRig Jan 2017)

.003 Phishing: Spearphishing via Service

OilRig has used LinkedIn to send spearphishing links.(Citation: FireEye APT34 July 2019)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

OilRig has used Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Symantec Crambus OCT 2023)(Citation: Symantec Crambus OCT 2023)
.004 Remote Services: SSH

OilRig has used Putty to access compromised systems.(Citation: Unit42 OilRig Playbook 2023)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

OilRig has created scheduled tasks that run a VBScript to execute a payload on victim machines.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: FireEye APT34 July 2019)(Citation: Check Point APT34 April 2021)
Enterprise T1505 .003 Server Software Component: Web Shell

OilRig has used web shells, often to maintain access to a victim network.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Trend Micro Earth Simnavaz October 2024)
Enterprise T1608 .001 Stage Capabilities: Upload Malware

OilRig has hosted malware on fake websites designed to target specific audiences.(Citation: ClearSky OilRig Jan 2017)
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

OilRig has signed its malware with stolen certificates.(Citation: ClearSky OilRig Jan 2017)
Enterprise T1218 .001 System Binary Proxy Execution: Compiled HTML File

OilRig has used a CHM payload to load and execute another malicious file once delivered to a victim.(Citation: Palo Alto OilRig May 2016)
Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT35 2018)(Citation: FireEye APT34 July 2019)
Enterprise T1204 .001 User Execution: Malicious Link

OilRig has delivered malicious links to achieve execution on the target system.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)(Citation: ClearSky OilRig Jan 2017)
.002 User Execution: Malicious File

OilRig has delivered macro-enabled documents that required targets to click the "enable content" button to execute the payload on the system.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)(Citation: Check Point APT34 April 2021)(Citation: ClearSky OilRig Jan 2017)

Enterprise T1078 .002 Valid Accounts: Domain Accounts

OilRig has used an exfiltration tool named STEALHOOK to retreive valid domain credentials.(Citation: Trend Micro Earth Simnavaz October 2024)
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

OilRig has used macros to verify if a mouse is connected to a compromised machine.(Citation: Check Point APT34 April 2021)

Software
ID Name References Techniques
S0039 Net (Citation: FireEye APT34 Dec 2017) (Citation: Microsoft Net Utility) (Citation: Palo Alto OilRig May 2016) (Citation: Savill 1999) (Citation: Symantec Crambus OCT 2023) Domain Account, Local Account, Domain Groups, System Service Discovery, Network Share Discovery, Additional Local or Domain Groups, SMB/Windows Admin Shares, Local Account, Domain Account, System Network Connections Discovery, Local Groups, Network Share Connection Removal, Password Policy Discovery, Remote System Discovery, Service Execution, System Time Discovery
S0185 SEASHARPEE (Citation: FireEye APT34 Webinar Dec 2017) Timestomp, Web Shell, Windows Command Shell, Ingress Tool Transfer
S0184 POWRUNER (Citation: FireEye APT34 Dec 2017) Scheduled Task, Windows Management Instrumentation, Screen Capture, System Owner/User Discovery, Standard Encoding, DNS, Domain Account, Domain Groups, System Information Discovery, System Network Configuration Discovery, File and Directory Discovery, System Network Connections Discovery, Process Discovery, PowerShell, Local Groups, Query Registry, Security Software Discovery, Windows Command Shell, Web Protocols, Ingress Tool Transfer
S0160 certutil (Citation: FireEye APT34 Dec 2017) (Citation: Symantec Crambus OCT 2023) (Citation: TechNet Certutil) Archive via Utility, Deobfuscate/Decode Files or Information, Install Root Certificate, Ingress Tool Transfer
S0100 ipconfig (Citation: Palo Alto OilRig May 2016) (Citation: TechNet Ipconfig) System Network Configuration Discovery
S1173 PowerExchange (Citation: Symantec Crambus OCT 2023) Deobfuscate/Decode Files or Information, Mail Protocols, Exfiltration Over C2 Channel, PowerShell, Ingress Tool Transfer
S0057 Tasklist (Citation: FireEye APT34 Dec 2017) (Citation: Microsoft Tasklist) (Citation: Palo Alto OilRig May 2016) System Service Discovery, Process Discovery, Security Software Discovery
S0508 ngrok (Citation: Cyware Ngrok May 2019) (Citation: FireEye Maze May 2020) (Citation: MalwareBytes LazyScripter Feb 2021) (Citation: Trend Micro Earth Simnavaz October 2024) (Citation: Zdnet Ngrok September 2018) Domain Generation Algorithms, Exfiltration Over Web Service, Protocol Tunneling, Proxy, Web Service
S1170 ODAgent (Citation: ESET OilRig Downloaders DEC 2023) Native API, Deobfuscate/Decode Files or Information, File and Directory Discovery, Exfiltration Over C2 Channel, Bidirectional Communication, Exfiltration to Cloud Storage, Windows Command Shell, File Deletion, Ingress Tool Transfer
S0104 netstat (Citation: FireEye APT34 Dec 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Symantec Crambus OCT 2023) (Citation: TechNet Netstat) System Network Connections Discovery
S0495 RDAT (Citation: Unit42 RDAT July 2020) Screen Capture, Standard Encoding, DNS, Match Legitimate Resource Name or Location, Symmetric Cryptography, Windows Service, Deobfuscate/Decode Files or Information, Mail Protocols, Masquerade Task or Service, Exfiltration Over C2 Channel, Data Obfuscation, Steganography, Data Transfer Size Limits, Windows Command Shell, Non-Standard Encoding, File Deletion, Web Protocols, Ingress Tool Transfer, Steganography, Fallback Channels
S0189 ISMInjector (Citation: OilRig New Delivery Oct 2017) Scheduled Task, Deobfuscate/Decode Files or Information, Process Hollowing, Obfuscated Files or Information
S0269 QUADAGENT (Citation: Unit 42 QUADAGENT July 2018) Scheduled Task, Fileless Storage, System Owner/User Discovery, Standard Encoding, DNS, Match Legitimate Resource Name or Location, Deobfuscate/Decode Files or Information, Modify Registry, System Network Configuration Discovery, PowerShell, Query Registry, Windows Command Shell, Command Obfuscation, File Deletion, Web Protocols, Visual Basic, Fallback Channels
S0096 Systeminfo (Citation: FireEye APT34 Dec 2017) (Citation: TechNet Systeminfo) System Information Discovery
S1151 ZeroCleare (Citation: CISA Iran Albanian Attacks September 2022) (Citation: IBM ZeroCleare Wiper December 2019) (Citation: Mandiant ROADSWEEP August 2022) (Citation: Microsoft Albanian Government Attacks September 2022) (Citation: ZEROCLEAR) Disk Structure Wipe, Code Signing, System Information Discovery, Native API, Command and Scripting Interpreter, PowerShell, Exploitation for Privilege Escalation, File Deletion
S0264 OopsIE (Citation: Unit 42 OilRig Sept 2018) (Citation: Unit 42 OopsIE! Feb 2018) Scheduled Task, Archive via Utility, Windows Management Instrumentation, Standard Encoding, Archive via Custom Method, Local Data Staging, System Checks, System Information Discovery, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, Obfuscated Files or Information, Data Transfer Size Limits, Windows Command Shell, File Deletion, Software Packing, Web Protocols, Visual Basic, Ingress Tool Transfer, System Time Discovery
S1171 OilCheck (Citation: ESET OilRig Downloaders DEC 2023) Exfiltration Over Web Service, Bidirectional Communication, Ingress Tool Transfer
S1168 SampleCheck5000 (Citation: ESET OilRig Campaigns Sep 2023) (Citation: ESET OilRig Downloaders DEC 2023) (Citation: SC5k) Archive via Utility, Local Data Staging, System Information Discovery, Deobfuscate/Decode Files or Information, Exfiltration Over Web Service, Bidirectional Communication, Windows Command Shell, Web Protocols, Ingress Tool Transfer
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: FireEye APT34 Webinar Dec 2017) (Citation: FireEye APT35 2018) (Citation: Symantec Crambus OCT 2023) (Citation: Unit42 OilRig Playbook 2023) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S1172 OilBooster (Citation: ESET OilRig Downloaders DEC 2023) System Owner/User Discovery, Local Data Staging, System Information Discovery, Native API, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, Inter-Process Communication, Bidirectional Communication, Asymmetric Cryptography, Exfiltration to Cloud Storage, Hidden Window, Windows Command Shell, Web Protocols, Ingress Tool Transfer, Fallback Channels
S0349 LaZagne (Citation: FireEye APT35 2018) (Citation: GitHub LaZagne Dec 2018) (Citation: GitHub LaZange Dec 2018) Keychain, LSA Secrets, Proc Filesystem, Credentials from Password Stores, Credentials from Web Browsers, LSASS Memory, Cached Domain Credentials, Credentials In Files, /etc/passwd and /etc/shadow, Windows Credential Manager
S1166 Solar (Citation: ESET OilRig Campaigns Sep 2023) Scheduled Task, Standard Encoding, Symmetric Cryptography, System Information Discovery, Automated Exfiltration, Exfiltration Over C2 Channel, File Deletion, Ingress Tool Transfer
S0258 RGDoor (Citation: Unit 42 RGDoor Jan 2018) System Owner/User Discovery, Archive via Custom Method, Deobfuscate/Decode Files or Information, IIS Components, Windows Command Shell, Web Protocols, Ingress Tool Transfer
S1169 Mango (Citation: ESET OilRig Campaigns Sep 2023) Scheduled Task, System Owner/User Discovery, Standard Encoding, Encrypted/Encoded File, Malicious File, Symmetric Cryptography, System Information Discovery, Native API, File and Directory Discovery, Exfiltration Over C2 Channel, Disable or Modify Tools, Asymmetric Cryptography, Web Protocols
S0075 Reg (Citation: FireEye APT34 Dec 2017) (Citation: Microsoft Reg) (Citation: Palo Alto OilRig May 2016) (Citation: Windows Commands JPCERT) Credentials in Registry, Modify Registry, Query Registry
S0095 ftp (Citation: Linux FTP) (Citation: Microsoft FTP) (Citation: Palo Alto OilRig Oct 2016) Lateral Tool Transfer, Ingress Tool Transfer, Commonly Used Port, Exfiltration Over Unencrypted Non-C2 Protocol
S0360 BONDUPDATER (Citation: FireEye APT34 Dec 2017) (Citation: Palo Alto OilRig Sep 2018) Scheduled Task, Domain Generation Algorithms, DNS, PowerShell, Hidden Window, Windows Command Shell, Ingress Tool Transfer
S0610 SideTwist (Citation: Check Point APT34 April 2021) System Owner/User Discovery, Standard Encoding, Symmetric Cryptography, System Information Discovery, Native API, Data from Local System, Deobfuscate/Decode Files or Information, System Network Configuration Discovery, File and Directory Discovery, Exfiltration Over C2 Channel, Data Obfuscation, Windows Command Shell, Web Protocols, Ingress Tool Transfer, Fallback Channels
S0170 Helminth (Citation: Crowdstrike Helix Kitten Nov 2018) (Citation: FireEye APT34 Webinar Dec 2017) (Citation: Palo Alto OilRig May 2016) Scheduled Task, Standard Encoding, Keylogging, Encrypted/Encoded File, DNS, Local Data Staging, Symmetric Cryptography, Domain Groups, Automated Collection, Clipboard Data, Code Signing, Shortcut Modification, Process Discovery, PowerShell, Registry Run Keys / Startup Folder, Local Groups, Data Transfer Size Limits, Windows Command Shell, Web Protocols, Visual Basic, Ingress Tool Transfer
S0029 PsExec (Citation: FireEye APT34 Webinar Dec 2017) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) Windows Service, SMB/Windows Admin Shares, Domain Account, Lateral Tool Transfer, Service Execution

References

  1. ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.
  2. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
  3. Falcone, R., Wilhoit, K.. (2018, November 16). Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery. Retrieved April 23, 2019.
  4. Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.
  5. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  6. Fahmy, M. et al. (2024, October 11). Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East. Retrieved November 27, 2024.
  7. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  8. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  9. Proofpoint. (2020, January 10). Iranian State-Sponsored and Aligned Attacks: What You Need to Know and Steps to Protect Yourself. Retrieved January 16, 2025.
  10. Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.
  11. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  12. Falcone, R. and Lee, B. (2017, July 27). OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group. Retrieved January 8, 2018.
  13. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  14. Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.
  15. Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024.
  16. Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018.
  17. Kessem, L. (2019, December 4). New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East. Retrieved September 4, 2024.
  18. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  19. Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021.
  20. Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024.
  21. Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.
  22. McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020.
  23. Singh, S., Yin, H. (2016, May 22). https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html. Retrieved November 17, 2024.
  24. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  25. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
  26. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  27. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved November 17, 2024.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.