OilRig, an Iranian cyber espionage group active since 2015, targets Middle Eastern individuals and organizations for intelligence gathering, by employing spear-phishing and infiltration techniques to breach critical infrastructure, government agencies, and telecommunication sectors.
It is a highly active cyberespionage group (APT 34, ATK 40, etc.) that has targeted numerous countries across the globe for over a decade, as their reach spans across government, finance, energy, telecom, and various other sectors.
They employ a diverse arsenal of attack tools and techniques, allowing them to customize infiltrations for specific targets, which makes OilRig a significant threat to national security and critical infrastructure.
A suspected affiliate of Greenbug uses targeted spear-phishing emails or compromised public applications to deliver malware, which gives them persistent access to the system and allows them to steal sensitive data.
An APT group uses spear-phishing emails with lures tailored to the target’s industry, like marketing documents, and also leverages social engineering tactics like impersonating trusted institutions on platforms like LinkedIn to trick victims into downloading malware-laden attachments.
To establish persistence on compromised systems, OilRig utilizes a combination of techniques such as deploying malicious loaders, VBScripts, and scheduled tasks. In some cases, they exploit vulnerabilities in public-facing applications to drop shellcode for persistence.
Tools used by OilRig
OilRig utilizes a vast arsenal of Remote Access Tools (RATs) to infiltrate target systems, including credential stealers, keyloggers, and network reconnaissance tools, allowing them to steal data, maintain persistence, and move laterally within a network.
By analyzing the Internet Protocols (IPs) and domains used in these attacks, researchers can link ongoing campaigns to OilRig, enabling them to track the group’s activity and develop preventative measures.
The ALMA Communicator Trojan, a backdoor, uses DNS tunneling to receive commands and steal data, while BONDUPDATER, a PowerShell Trojan, is another tool for gaining unauthorized access.
It utilizes DNSExfitrator, a tool enabling them to exploit DNS over HTTPS (DoH) for covert communication, and similarly, DNSpionage uses DNS tunneling to mask malicious traffic.
Dustman, a data wiper linked to ZeroCleare malware, can completely erase victim data, and Helminth, a backdoor with VBScript and PowerShell variants, can be delivered through macros or as a standalone executable, granting remote access to attackers.
ISMAgent is a backdoor that uses DNS tunneling, similar to ISMDoor, which is linked to Greenbug, while ISMInjector by OilRig is used to deploy ISMAgent. Karkoff is.NET malware.
MediaPl is a backdoor that disguises itself as Windows Media Player, Mimikatz is a credential stealer that targets Windows systems, and LaZagne is an open-source tool for retrieving passwords.
According to Cyble, they have also been known to leverage compromised exchange servers and HTPSnoop implants for stealthy network traffic and utilize protocol tunneling to further mask their malicious communications within legitimate network activity.
