OilRig
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| IRN2 | (Citation: Crowdstrike Helix Kitten Nov 2018) |
| COBALT GYPSY | (Citation: Secureworks COBALT GYPSY Threat Profile) |
| Helix Kitten | (Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018) |
| APT34 | This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity. (Citation: Unit 42 QUADAGENT July 2018) (Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery: Local Account |
OilRig has run |
| .002 | Account Discovery: Domain Account |
OilRig has run |
||
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
OilRig has used HTTP for C2.(Citation: Unit 42 Playbook Dec 2017)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT34 July 2019) |
| .004 | Application Layer Protocol: DNS |
OilRig has used DNS for C2 including the publicly available |
||
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents.(Citation: FireEye APT34 Dec 2017)(Citation: OilRig New Delivery Oct 2017)(Citation: Crowdstrike Helix Kitten Nov 2018) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
OilRig has used macros to deliver malware such as QUADAGENT and OopsIE.(Citation: FireEye APT34 Dec 2017)(Citation: OilRig ISMAgent July 2017)(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Unit42 OilRig Nov 2018) OilRig has used batch scripts.(Citation: FireEye APT34 Dec 2017)(Citation: OilRig ISMAgent July 2017)(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Unit42 OilRig Nov 2018) |
||
| .005 | Command and Scripting Interpreter: Visual Basic |
OilRig has used VBSscipt macros for execution on compromised hosts.(Citation: Check Point APT34 April 2021) |
||
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.(Citation: Unit 42 Playbook Dec 2017)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT35 2018)(Citation: FireEye APT34 July 2019) OilRig has also used tool named PICKPOCKET to dump passwords from web browsers.(Citation: FireEye APT34 July 2019) |
| .004 | Credentials from Password Stores: Windows Credential Manager |
OilRig has used credential dumping tool named VALUEVAULT to steal credentials from the Windows Credential Manager.(Citation: FireEye APT34 July 2019) |
||
| Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
OilRig used the Plink utility and other tools to create tunnels to C2 servers.(Citation: FireEye APT34 Webinar Dec 2017) |
| Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
OilRig has exfiltrated data over FTP separately from its primary C2 channel over DNS.(Citation: Palo Alto OilRig Oct 2016) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
OilRig has deleted files associated with their payload after execution.(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 OopsIE! Feb 2018) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
OilRig has used keylogging tools called KEYPUNCH and LONGWATCH.(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT34 July 2019) |
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
OilRig has used credential dumping tools such as Mimikatz to steal credentials to accounts logged into the compromised system and to Outlook Web Access.(Citation: Unit 42 Playbook Dec 2017)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT35 2018)(Citation: FireEye APT34 July 2019) |
| .004 | OS Credential Dumping: LSA Secrets |
OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.(Citation: Unit 42 Playbook Dec 2017)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT35 2018)(Citation: FireEye APT34 July 2019) |
||
| .005 | OS Credential Dumping: Cached Domain Credentials |
OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.(Citation: Unit 42 Playbook Dec 2017)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT35 2018)(Citation: FireEye APT34 July 2019) |
||
| Enterprise | T1027 | .005 | Obfuscated Files or Information: Indicator Removal from Tools |
OilRig has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion.(Citation: Palo Alto OilRig April 2017)(Citation: Unit42 OilRig Nov 2018) |
| Enterprise | T1137 | .004 | Office Application Startup: Outlook Home Page |
OilRig has abused the Outlook Home Page feature for persistence. OilRig has also used CVE-2017-11774 to roll back the initial patch designed to protect against Home Page abuse.(Citation: FireEye Outlook Dec 2019) |
| Enterprise | T1069 | .001 | Permission Groups Discovery: Local Groups |
OilRig has used |
| .002 | Permission Groups Discovery: Domain Groups |
OilRig has used |
||
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
OilRig has sent spearphising emails with malicious attachments to potential victims using compromised and/or spoofed email accounts.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018) |
| .002 | Phishing: Spearphishing Link |
OilRig has sent spearphising emails with malicious links to potential victims.(Citation: Unit 42 OopsIE! Feb 2018) |
||
| .003 | Phishing: Spearphishing via Service |
OilRig has used LinkedIn to send spearphishing links.(Citation: FireEye APT34 July 2019) |
||
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
OilRig has used Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment.(Citation: Unit 42 Playbook Dec 2017)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: Crowdstrike GTR2020 Mar 2020) |
| .004 | Remote Services: SSH |
OilRig has used Putty to access compromised systems.(Citation: Unit 42 Playbook Dec 2017) |
||
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
OilRig has created scheduled tasks that run a VBScript to execute a payload on victim machines.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: FireEye APT34 July 2019)(Citation: Check Point APT34 April 2021) |
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
OilRig has used web shells, often to maintain access to a victim network.(Citation: Unit 42 Playbook Dec 2017)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: Crowdstrike GTR2020 Mar 2020) |
| Enterprise | T1218 | .001 | System Binary Proxy Execution: Compiled HTML File |
OilRig has used a CHM payload to load and execute another malicious file once delivered to a victim.(Citation: Palo Alto OilRig May 2016) |
| Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.(Citation: Unit 42 Playbook Dec 2017)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT35 2018)(Citation: FireEye APT34 July 2019) |
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
OilRig has delivered malicious links to achieve execution on the target system.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018) |
| .002 | User Execution: Malicious File |
OilRig has delivered macro-enabled documents that required targets to click the "enable content" button to execute the payload on the system.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)(Citation: Check Point APT34 April 2021) |
||
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
OilRig has used macros to verify if a mouse is connected to a compromised machine.(Citation: Check Point APT34 April 2021) |
References
- Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
- Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
- Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.
- Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
- Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018.
- Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.
- Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
- Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
- Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020.
- Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.
- Singh, S., Yin, H. (2016, May 22). https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html. Retrieved April 5, 2018.
- Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
- Falcone, R. and Lee, B. (2017, July 27). OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group. Retrieved January 8, 2018.
- Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
- Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
- Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
- Falcone, R., Wilhoit, K.. (2018, November 16). Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery. Retrieved April 23, 2019.
- Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.
- ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.
- Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.
- Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.