Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

OilRig

OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: Unit 42 QUADAGENT July 2018)
ID: G0049
Associated Groups: IRN2, ITG13, Hazel Sandstorm, EUROPIUM, COBALT GYPSY, Helix Kitten, Evasive Serpens, APT34
Version: 4.1
Created: 14 Dec 2017
Last Modified: 04 Sep 2024

Associated Group Descriptions

Name Description
IRN2 (Citation: Crowdstrike Helix Kitten Nov 2018)
ITG13 (Citation: IBM ZeroCleare Wiper December 2019)
Hazel Sandstorm (Citation: Microsoft Threat Actor Naming July 2023)
EUROPIUM (Citation: Microsoft Threat Actor Naming July 2023)
COBALT GYPSY (Citation: Secureworks COBALT GYPSY Threat Profile)
Helix Kitten (Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)
Evasive Serpens (Citation: Unit42 OilRig Playbook 2023)
APT34 This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.(Citation: Unit 42 QUADAGENT July 2018)(Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021)

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

OilRig has run net user, net user /domain, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to get account listings on a victim.(Citation: Palo Alto OilRig May 2016)

.002 Account Discovery: Domain Account

OilRig has run net user, net user /domain, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to get account listings on a victim.(Citation: Palo Alto OilRig May 2016)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

OilRig has used HTTP for C2.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT34 July 2019)

.004 Application Layer Protocol: DNS

OilRig has used DNS for C2 including the publicly available requestbin.net tunneling service.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT34 July 2019)(Citation: Check Point APT34 April 2021)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents.(Citation: FireEye APT34 Dec 2017)(Citation: OilRig New Delivery Oct 2017)(Citation: Crowdstrike Helix Kitten Nov 2018)

.003 Command and Scripting Interpreter: Windows Command Shell

OilRig has used macros to deliver malware such as QUADAGENT and OopsIE.(Citation: FireEye APT34 Dec 2017)(Citation: OilRig ISMAgent July 2017)(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Unit42 OilRig Nov 2018) OilRig has used batch scripts.(Citation: FireEye APT34 Dec 2017)(Citation: OilRig ISMAgent July 2017)(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Unit42 OilRig Nov 2018)

.005 Command and Scripting Interpreter: Visual Basic

OilRig has used VBScript macros for execution on compromised hosts.(Citation: Check Point APT34 April 2021)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT35 2018)(Citation: FireEye APT34 July 2019) OilRig has also used tool named PICKPOCKET to dump passwords from web browsers.(Citation: FireEye APT34 July 2019)

.004 Credentials from Password Stores: Windows Credential Manager

OilRig has used credential dumping tool named VALUEVAULT to steal credentials from the Windows Credential Manager.(Citation: FireEye APT34 July 2019)

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

OilRig used the Plink utility and other tools to create tunnels to C2 servers.(Citation: FireEye APT34 Webinar Dec 2017)

Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

OilRig has exfiltrated data over FTP separately from its primary C2 channel over DNS.(Citation: Palo Alto OilRig Oct 2016)

Enterprise T1070 .004 Indicator Removal: File Deletion

OilRig has deleted files associated with their payload after execution.(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 OopsIE! Feb 2018)

Enterprise T1056 .001 Input Capture: Keylogging

OilRig has used keylogging tools called KEYPUNCH and LONGWATCH.(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT34 July 2019)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

OilRig has used credential dumping tools such as Mimikatz to steal credentials to accounts logged into the compromised system and to Outlook Web Access.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT35 2018)(Citation: FireEye APT34 July 2019)

.004 OS Credential Dumping: LSA Secrets

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT35 2018)(Citation: FireEye APT34 July 2019)

.005 OS Credential Dumping: Cached Domain Credentials

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT35 2018)(Citation: FireEye APT34 July 2019)

Enterprise T1027 .005 Obfuscated Files or Information: Indicator Removal from Tools

OilRig has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion.(Citation: Palo Alto OilRig April 2017)(Citation: Unit42 OilRig Nov 2018)

.013 Obfuscated Files or Information: Encrypted/Encoded File

OilRig has encrypted and encoded data in its malware, including by using base64.(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Unit42 OilRig Playbook 2023)(Citation: Crowdstrike Helix Kitten Nov 2018)(Citation: Unit42 OilRig Nov 2018)

Enterprise T1137 .004 Office Application Startup: Outlook Home Page

OilRig has abused the Outlook Home Page feature for persistence. OilRig has also used CVE-2017-11774 to roll back the initial patch designed to protect against Home Page abuse.(Citation: FireEye Outlook Dec 2019)

Enterprise T1069 .001 Permission Groups Discovery: Local Groups

OilRig has used net localgroup administrators to find local administrators on compromised systems.(Citation: Palo Alto OilRig May 2016)

.002 Permission Groups Discovery: Domain Groups

OilRig has used net group /domain, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to find domain group permission settings.(Citation: Palo Alto OilRig May 2016)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

OilRig has sent spearphising emails with malicious attachments to potential victims using compromised and/or spoofed email accounts.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)

.002 Phishing: Spearphishing Link

OilRig has sent spearphising emails with malicious links to potential victims.(Citation: Unit 42 OopsIE! Feb 2018)

.003 Phishing: Spearphishing via Service

OilRig has used LinkedIn to send spearphishing links.(Citation: FireEye APT34 July 2019)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

OilRig has used Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: Crowdstrike GTR2020 Mar 2020)

.004 Remote Services: SSH

OilRig has used Putty to access compromised systems.(Citation: Unit42 OilRig Playbook 2023)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

OilRig has created scheduled tasks that run a VBScript to execute a payload on victim machines.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: FireEye APT34 July 2019)(Citation: Check Point APT34 April 2021)

Enterprise T1505 .003 Server Software Component: Web Shell

OilRig has used web shells, often to maintain access to a victim network.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: Crowdstrike GTR2020 Mar 2020)

Enterprise T1218 .001 System Binary Proxy Execution: Compiled HTML File

OilRig has used a CHM payload to load and execute another malicious file once delivered to a victim.(Citation: Palo Alto OilRig May 2016)

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT35 2018)(Citation: FireEye APT34 July 2019)

Enterprise T1204 .001 User Execution: Malicious Link

OilRig has delivered malicious links to achieve execution on the target system.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)

.002 User Execution: Malicious File

OilRig has delivered macro-enabled documents that required targets to click the "enable content" button to execute the payload on the system.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)(Citation: Check Point APT34 April 2021)

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

OilRig has used macros to verify if a mouse is connected to a compromised machine.(Citation: Check Point APT34 April 2021)

Software

ID Name References Techniques
S0039 Net (Citation: FireEye APT34 Dec 2017) (Citation: Microsoft Net Utility) (Citation: Palo Alto OilRig May 2016) (Citation: Savill 1999) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Additional Local or Domain Groups, Local Groups, SMB/Windows Admin Shares, Domain Account
S0185 SEASHARPEE (Citation: FireEye APT34 Webinar Dec 2017) Ingress Tool Transfer, Timestomp, Windows Command Shell, Web Shell
S0184 POWRUNER (Citation: FireEye APT34 Dec 2017) System Network Configuration Discovery, Web Protocols, Windows Management Instrumentation, Process Discovery, DNS, System Owner/User Discovery, Security Software Discovery, Domain Groups, Local Groups, Domain Account, File and Directory Discovery, System Information Discovery, Windows Command Shell, PowerShell, Standard Encoding, Ingress Tool Transfer, Query Registry, System Network Connections Discovery, Scheduled Task, Screen Capture
S0160 certutil (Citation: FireEye APT34 Dec 2017) (Citation: TechNet Certutil) Archive via Utility, Install Root Certificate, Deobfuscate/Decode Files or Information, Ingress Tool Transfer
S0100 ipconfig (Citation: Palo Alto OilRig May 2016) (Citation: TechNet Ipconfig) System Network Configuration Discovery
S0057 Tasklist (Citation: FireEye APT34 Dec 2017) (Citation: Microsoft Tasklist) (Citation: Palo Alto OilRig May 2016) Process Discovery, System Service Discovery, Security Software Discovery
S0104 netstat (Citation: FireEye APT34 Dec 2017) (Citation: Palo Alto OilRig May 2016) (Citation: TechNet Netstat) System Network Connections Discovery
S0495 RDAT (Citation: Unit42 RDAT July 2020) Web Protocols, Steganography, Masquerade Task or Service, Windows Command Shell, DNS, Match Legitimate Name or Location, Screen Capture, Standard Encoding, Non-Standard Encoding, Windows Service, Deobfuscate/Decode Files or Information, Symmetric Cryptography, Mail Protocols, Steganography, Data Transfer Size Limits, Ingress Tool Transfer, File Deletion, Exfiltration Over C2 Channel, Fallback Channels, Data Obfuscation
S0189 ISMInjector (Citation: OilRig New Delivery Oct 2017) Deobfuscate/Decode Files or Information, Obfuscated Files or Information, Process Hollowing, Scheduled Task
S0269 QUADAGENT (Citation: Unit 42 QUADAGENT July 2018) DNS, Web Protocols, Deobfuscate/Decode Files or Information, Standard Encoding, Visual Basic, System Network Configuration Discovery, Command Obfuscation, Windows Command Shell, Match Legitimate Name or Location, Fileless Storage, File Deletion, Query Registry, PowerShell, Fallback Channels, Modify Registry, System Owner/User Discovery, Scheduled Task
S0096 Systeminfo (Citation: FireEye APT34 Dec 2017) (Citation: TechNet Systeminfo) System Information Discovery
S1151 ZeroCleare (Citation: CISA Iran Albanian Attacks September 2022) (Citation: IBM ZeroCleare Wiper December 2019) (Citation: Mandiant ROADSWEEP August 2022) (Citation: Microsoft Albanian Government Attacks September 2022) (Citation: ZEROCLEAR) System Information Discovery, Exploitation for Privilege Escalation, Code Signing, Command and Scripting Interpreter, Native API, File Deletion, PowerShell, Disk Structure Wipe
S0264 OopsIE (Citation: Unit 42 OilRig Sept 2018) (Citation: Unit 42 OopsIE! Feb 2018) Local Data Staging, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, File Deletion, Windows Management Instrumentation, Standard Encoding, System Information Discovery, System Checks, Web Protocols, Windows Command Shell, Archive via Custom Method, Ingress Tool Transfer, Visual Basic, Archive via Utility, Scheduled Task, Software Packing, System Time Discovery, Obfuscated Files or Information, Exfiltration Over C2 Channel
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: FireEye APT34 Webinar Dec 2017) (Citation: FireEye APT35 2018) (Citation: Unit42 OilRig Playbook 2023) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0349 LaZagne (Citation: FireEye APT35 2018) (Citation: GitHub LaZagne Dec 2018) (Citation: GitHub LaZange Dec 2018) Credentials In Files, Windows Credential Manager, LSA Secrets, /etc/passwd and /etc/shadow, Credentials from Web Browsers, LSASS Memory, Cached Domain Credentials, Credentials from Password Stores, Keychain, Proc Filesystem
S0258 RGDoor (Citation: Unit 42 RGDoor Jan 2018) IIS Components, Windows Command Shell, Archive via Custom Method, Web Protocols, System Owner/User Discovery, Deobfuscate/Decode Files or Information, Ingress Tool Transfer
S0075 Reg (Citation: FireEye APT34 Dec 2017) (Citation: Microsoft Reg) (Citation: Palo Alto OilRig May 2016) (Citation: Windows Commands JPCERT) Credentials in Registry, Query Registry, Modify Registry
S0095 ftp (Citation: Linux FTP) (Citation: Microsoft FTP) (Citation: Palo Alto OilRig Oct 2016) Commonly Used Port, Lateral Tool Transfer, Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer
S0360 BONDUPDATER (Citation: FireEye APT34 Dec 2017) (Citation: Palo Alto OilRig Sep 2018) Windows Command Shell, Hidden Window, DNS, Scheduled Task, Domain Generation Algorithms, Ingress Tool Transfer, PowerShell
S0610 SideTwist (Citation: Check Point APT34 April 2021) Native API, Standard Encoding, System Owner/User Discovery, Symmetric Cryptography, File and Directory Discovery, Windows Command Shell, Ingress Tool Transfer, Web Protocols, System Network Configuration Discovery, Deobfuscate/Decode Files or Information, Data from Local System, Fallback Channels, Exfiltration Over C2 Channel, System Information Discovery, Data Obfuscation
S0170 Helminth (Citation: Crowdstrike Helix Kitten Nov 2018) (Citation: FireEye APT34 Webinar Dec 2017) (Citation: Palo Alto OilRig May 2016) Scheduled Task, Code Signing, Encrypted/Encoded File, Registry Run Keys / Startup Folder, Symmetric Cryptography, Shortcut Modification, DNS, Web Protocols, PowerShell, Process Discovery, Visual Basic, Keylogging, Ingress Tool Transfer, Local Data Staging, Clipboard Data, Windows Command Shell, Local Groups, Domain Groups, Automated Collection, Standard Encoding, Data Transfer Size Limits
S0029 PsExec (Citation: FireEye APT34 Webinar Dec 2017) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

  1. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
  2. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  3. Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018.
  4. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  5. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  6. Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.
  7. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
  8. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  9. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  10. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
  11. Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.
  12. Falcone, R. and Lee, B. (2017, July 27). OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group. Retrieved January 8, 2018.
  13. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  14. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  15. Falcone, R., Wilhoit, K.. (2018, November 16). Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery. Retrieved April 23, 2019.
  16. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  17. McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020.
  18. Kessem, L. (2019, December 4). New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East. Retrieved September 4, 2024.
  19. Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.
  20. Singh, S., Yin, H. (2016, May 22). https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html. Retrieved April 5, 2018.
  21. Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.
  22. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.
  23. ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.
  24. Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.
  25. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  26. Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.