OilRig  (Back to overview)

aka: Twisted Kitten, Cobalt Gypsy, Crambus, Helix Kitten, APT 34, APT34, IRN2

OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets. OilRig is an active and organized threat group, which is evident based on their systematic targeting of specific organizations that appear to be carefully chosen for strategic purposes. Attacks attributed to this group primarily rely on social engineering to exploit the human rather than software vulnerabilities; however, on occasion this group has used recently patched vulnerabilities in the delivery phase of their attacks. The lack of software vulnerability exploitation does not necessarily suggest a lack of sophistication, as OilRig has shown maturity in other aspects of their operations. Such maturities involve: -Organized evasion testing used the during development of their tools. -Use of custom DNS Tunneling protocols for command and control (C2) and data exfiltration. -Custom web-shells and backdoors used to persistently access servers. OilRig relies on stolen account credentials for lateral movement. After OilRig gains access to a system, they use credential dumping tools, such as Mimikatz, to steal credentials to accounts logged into the compromised system. The group uses these credentials to access and to move laterally to other systems on the network. After obtaining credentials from a system, operators in this group prefer to use tools other than their backdoors to access the compromised systems, such as remote desktop and putty. OilRig also uses phishing sites to harvest credentials to individuals at targeted organizations to gain access to internet accessible resources, such as Outlook Web Access.


Associated Families
apk.spynote asp.twoface ps1.bondupdater ps1.oilrig ps1.powruner ps1.quadagent win.alma_communicator win.google_drive_rat win.helminth win.ismagent win.longwatch win.nautilus win.neuron win.oopsie win.pickpocket win.tonedeaf win.valuevault win.jason

References
http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability
1 http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/
1 http://www.clearskysec.com/ismagent/
http://www.clearskysec.com/oilrig/
https://attack.mitre.org/groups/G0049/
1 https://blog.0day.rocks/hacking-back-and-influence-operations-85cd52c1e933
https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdf
1 https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca
2 https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr
1 https://ironnet.com/blog/chirp-of-the-poisonfrog/
1 https://marcoramilli.com/2019/05/02/apt34-glimpse-project/
1 https://marcoramilli.com/2019/06/06/apt34-jason-project/
1 https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf
https://pan-unit42.github.io/playbook_viewer/
https://raw.githubusercontent.com/pan-unit42/playbook_viewer/master/playbook_json/oilrig.json
1 https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/
1 https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/
1 https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/
1 https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/
1 https://twitter.com/MJDutch/status/1074820959784321026?s=19
1 https://twitter.com/P3pperP0tts/status/1135503765287657472
1 https://unit42.paloaltonetworks.com/behind-the-scenes-with-oilrig/
5 https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/
https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/
https://unit42.paloaltonetworks.com/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/
https://unit42.paloaltonetworks.com/unit42-introducing-the-adversary-playbook-first-up-oilrig/
https://unit42.paloaltonetworks.com/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/
https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/
https://unit42.paloaltonetworks.com/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/
1 https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/
https://unit42.paloaltonetworks.com/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/
https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/
https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/
https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/
1 https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/
2 https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2
https://www.cfr.org/interactive/cyber-operations/oilrig
https://www.clearskysec.com/oilrig/
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/
1 https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html
4 https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a
2 https://www.ncsc.gov.uk/alerts/turla-group-malware
2 https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims
1 https://www.netscout.com/blog/asert/tunneling-under-sands
1 https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536345486.pdf
https://www.symantec.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail
https://www.symantec.com/connect/blogs/shamoon-attacks
https://www.symantec.com/connect/blogs/shamoon-back-dead-and-destructive-ever
1 https://www.vkremez.com/2018/03/investigating-iranian-threat-group.html
1 https://www.youtube.com/watch?time_continue=1333&v=1CGAmjAV8nI
1 https://www.youtube.com/watch?v=GjquFKa4afU
2 https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/

Credits: MISP Project