SYMBOLCOMMON_NAMEaka. SYNONYMS

OilRig  (Back to overview)

aka: Twisted Kitten, Cobalt Gypsy, Crambus, Helix Kitten, APT 34, APT34, IRN2

OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets. OilRig is an active and organized threat group, which is evident based on their systematic targeting of specific organizations that appear to be carefully chosen for strategic purposes. Attacks attributed to this group primarily rely on social engineering to exploit the human rather than software vulnerabilities; however, on occasion this group has used recently patched vulnerabilities in the delivery phase of their attacks. The lack of software vulnerability exploitation does not necessarily suggest a lack of sophistication, as OilRig has shown maturity in other aspects of their operations. Such maturities involve: -Organized evasion testing used the during development of their tools. -Use of custom DNS Tunneling protocols for command and control (C2) and data exfiltration. -Custom web-shells and backdoors used to persistently access servers. OilRig relies on stolen account credentials for lateral movement. After OilRig gains access to a system, they use credential dumping tools, such as Mimikatz, to steal credentials to accounts logged into the compromised system. The group uses these credentials to access and to move laterally to other systems on the network. After obtaining credentials from a system, operators in this group prefer to use tools other than their backdoors to access the compromised systems, such as remote desktop and putty. OilRig also uses phishing sites to harvest credentials to individuals at targeted organizations to gain access to internet accessible resources, such as Outlook Web Access.


Associated Families
apk.spynote ps1.oilrig ps1.powruner ps1.quadagent win.google_drive_rat win.oopsie ps1.bondupdater asp.twoface win.jason win.neuron win.zerocleare win.valuevault win.tonedeaf win.helminth win.ismagent win.longwatch win.pickpocket win.alma_communicator win.nautilus

References
2020-05-19SymantecCritical Attack Discovery and Intelligence Team
@online{team:20200519:sophisticated:023b1bd, author = {Critical Attack Discovery and Intelligence Team}, title = {{Sophisticated Espionage Group Turns Attention to Telecom Providers in South Asia}}, date = {2020-05-19}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia}, language = {English}, urldate = {2020-05-20} } Sophisticated Espionage Group Turns Attention to Telecom Providers in South Asia
ISMAgent ISMDoor
2020-03-31VolexityVolexity Threat Research
@online{research:20200331:storm:b491e72, author = {Volexity Threat Research}, title = {{Storm Cloud Unleashed: Tibetan Focus of Highly Targeted Fake Flash Campaign}}, date = {2020-03-31}, organization = {Volexity}, url = {https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/}, language = {English}, urldate = {2020-04-07} } Storm Cloud Unleashed: Tibetan Focus of Highly Targeted Fake Flash Campaign
SpyNote Stitch Godlike12
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-01-30IntezerPaul Litvak, Michael Kajiloti
@online{litvak:20200130:new:e013fd0, author = {Paul Litvak and Michael Kajiloti}, title = {{New Iranian Campaign Tailored to US Companies Utilizes an Updated Toolset}}, date = {2020-01-30}, organization = {Intezer}, url = {https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/}, language = {English}, urldate = {2020-02-03} } New Iranian Campaign Tailored to US Companies Utilizes an Updated Toolset
TONEDEAF VALUEVAULT
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:ce31320, author = {SecureWorks}, title = {{COBALT GYPSY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-gypsy}, language = {English}, urldate = {2020-05-23} } COBALT GYPSY
TwoFace MacDownloader BONDUPDATER pupy Helminth jason RGDoor TinyZbot OilRig
2020SecureworksSecureWorks
@online{secureworks:2020:iron:de2007f, author = {SecureWorks}, title = {{IRON HUNTER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hunter}, language = {English}, urldate = {2020-05-23} } IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla Group
2019-12-09IBM SecurityIBM IRIS
@online{iris:20191209:new:cc73a24, author = {IBM IRIS}, title = {{New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East}}, date = {2019-12-09}, organization = {IBM Security}, url = {https://www.ibm.com/downloads/cas/OAJ4VZNJ}, language = {English}, urldate = {2020-01-09} } New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East
ZeroCleare
2019-11-20ClearSkyClearSky Cyber Security
@online{security:20191120:muddywater:5c4adfd, author = {ClearSky Cyber Security}, title = {{MuddyWater Uses New Attack Methods in a Recent Attack Wave}}, date = {2019-11-20}, organization = {ClearSky}, url = {https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca}, language = {English}, urldate = {2019-12-16} } MuddyWater Uses New Attack Methods in a Recent Attack Wave
QUADAGENT RogueRobin
2019-11-09NSFOCUSMina Hao
@online{hao:20191109:apt34:550c673, author = {Mina Hao}, title = {{APT34 Event Analysis Report}}, date = {2019-11-09}, organization = {NSFOCUS}, url = {https://nsfocusglobal.com/apt34-event-analysis-report/}, language = {English}, urldate = {2020-03-09} } APT34 Event Analysis Report
BONDUPDATER DNSpionage
2019-10-21NCSC UKNCSC UK
@online{uk:20191021:advisory:8f9f0e8, author = {NCSC UK}, title = {{Advisory: Turla group exploits Iranian APT to expand coverage of victims}}, date = {2019-10-21}, organization = {NCSC UK}, url = {https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims}, language = {English}, urldate = {2020-01-06} } Advisory: Turla group exploits Iranian APT to expand coverage of victims
Nautilus Neuron
2019-09-18IronNetJonathan Lepore
@online{lepore:20190918:chirp:44c11e9, author = {Jonathan Lepore}, title = {{Chirp of the PoisonFrog}}, date = {2019-09-18}, organization = {IronNet}, url = {https://ironnet.com/blog/chirp-of-the-poisonfrog/}, language = {English}, urldate = {2020-01-09} } Chirp of the PoisonFrog
BONDUPDATER
2019-07-18FireEyeMatt Bromiley, Noah Klapprodt, Nick Schroeder, Jessica Rocchio
@online{bromiley:20190718:hard:7a6144e, author = {Matt Bromiley and Noah Klapprodt and Nick Schroeder and Jessica Rocchio}, title = {{Hard Pass: Declining APT34’s Invite to Join Their Professional Network}}, date = {2019-07-18}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html}, language = {English}, urldate = {2019-12-20} } Hard Pass: Declining APT34’s Invite to Join Their Professional Network
LONGWATCH PICKPOCKET TONEDEAF VALUEVAULT
2019-07-08SANSJosh M. Bryant, Robert Falcone
@techreport{bryant:20190708:hunting:7ce53d5, author = {Josh M. Bryant and Robert Falcone}, title = {{Hunting Webshells: Tracking TwoFace}}, date = {2019-07-08}, institution = {SANS}, url = {https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536345486.pdf}, language = {English}, urldate = {2020-01-09} } Hunting Webshells: Tracking TwoFace
TwoFace
2019-06-06Marco Ramilli
@online{ramilli:20190606:apt34:e2dbe80, author = {Marco Ramilli}, title = {{APT34: Jason project}}, date = {2019-06-06}, url = {https://marcoramilli.com/2019/06/06/apt34-jason-project/}, language = {English}, urldate = {2020-01-07} } APT34: Jason project
jason
2019-06-03Twitter (@P3pperP0tts)Pepper Potts
@online{potts:20190603:apt34:d5442c2, author = {Pepper Potts}, title = {{Tweet on APT34}}, date = {2019-06-03}, organization = {Twitter (@P3pperP0tts)}, url = {https://twitter.com/P3pperP0tts/status/1135503765287657472}, language = {English}, urldate = {2020-01-13} } Tweet on APT34
jason
2019-05-02Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20190502:apt34:06f5d53, author = {Marco Ramilli}, title = {{APT34: Glimpse project}}, date = {2019-05-02}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2019/05/02/apt34-glimpse-project/}, language = {English}, urldate = {2020-01-13} } APT34: Glimpse project
BONDUPDATER
2019-04-30ClearSkyClearSky Cyber Security
@online{security:20190430:raw:327940f, author = {ClearSky Cyber Security}, title = {{Raw Threat Intelligence 2019-04-30: Oilrig data dump link analysis}}, date = {2019-04-30}, organization = {ClearSky}, url = {https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr}, language = {English}, urldate = {2019-10-23} } Raw Threat Intelligence 2019-04-30: Oilrig data dump link analysis
SpyNote OopsIE
2019-04-30Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
@online{lee:20190430:behind:01b3010, author = {Bryan Lee and Robert Falcone}, title = {{Behind the Scenes with OilRig}}, date = {2019-04-30}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/behind-the-scenes-with-oilrig/}, language = {English}, urldate = {2020-01-06} } Behind the Scenes with OilRig
BONDUPDATER
2019-04-19Mediumx0rz
@online{x0rz:20190419:hacking:682f038, author = {x0rz}, title = {{Hacking (Back) and Influence Operations}}, date = {2019-04-19}, organization = {Medium}, url = {https://blog.0day.rocks/hacking-back-and-influence-operations-85cd52c1e933}, language = {English}, urldate = {2020-01-13} } Hacking (Back) and Influence Operations
BONDUPDATER
2019-04-16Robert Falcone
@online{falcone:20190416:dns:fed953e, author = {Robert Falcone}, title = {{DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling}}, date = {2019-04-16}, url = {https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/}, language = {English}, urldate = {2019-12-03} } DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling
BONDUPDATER QUADAGENT Alma Communicator Helminth ISMAgent
2019-02-13Youtube (SANS Digital Forensics & Incident Response)Josh Bryant, Robert Falcone
@online{bryant:20190213:hunting:8c671bf, author = {Josh Bryant and Robert Falcone}, title = {{Hunting Webshells: Tracking TwoFace - SANS Threat Hunting Summit 2018}}, date = {2019-02-13}, organization = {Youtube (SANS Digital Forensics & Incident Response)}, url = {https://www.youtube.com/watch?v=GjquFKa4afU}, language = {English}, urldate = {2020-01-13} } Hunting Webshells: Tracking TwoFace - SANS Threat Hunting Summit 2018
TwoFace
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:oilrig:c3cfb7a, author = {Cyber Operations Tracker}, title = {{OilRig}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/oilrig}, language = {English}, urldate = {2019-12-20} } OilRig
OilRig
2019MITREMITRE ATT&CK
@online{attck:2019:oilrig:40b5deb, author = {MITRE ATT&CK}, title = {{Group description: OilRig}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0049/}, language = {English}, urldate = {2019-12-20} } Group description: OilRig
OilRig
2018-12-19Thomas Roccia, Jessica Saavedra-Morales, Christiaan Beek
@online{roccia:20181219:shamoon:a69d9d2, author = {Thomas Roccia and Jessica Saavedra-Morales and Christiaan Beek}, title = {{Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems}}, date = {2018-12-19}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/}, language = {English}, urldate = {2019-11-08} } Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems
OilRig
2018-12-17Twitter (@MJDutch)Justin
@online{justin:20181217:apt39:6e13cad, author = {Justin}, title = {{Tweet on APT39}}, date = {2018-12-17}, organization = {Twitter (@MJDutch)}, url = {https://twitter.com/MJDutch/status/1074820959784321026?s=19}, language = {English}, urldate = {2020-01-08} } Tweet on APT39
OilRig
2018-12-14SymantecSecurity Response Attack Investigation Team
@online{team:20181214:shamoon:5c1ab4d, author = {Security Response Attack Investigation Team}, title = {{Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail}}, date = {2018-12-14}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail}, language = {English}, urldate = {2020-01-13} } Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail
OilRig
2018-12-14SymantecCritical Attack Discovery and Intelligence Team
@online{team:20181214:shamoon:1f24fa5, author = {Critical Attack Discovery and Intelligence Team}, title = {{Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail}}, date = {2018-12-14}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail}, language = {English}, urldate = {2020-04-21} } Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail
DistTrack Filerase StoneDrill OilRig
2018-11-27CrowdStrikeAdam Meyers
@online{meyers:20181127:meet:d6b13f0, author = {Adam Meyers}, title = {{Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN}}, date = {2018-11-27}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/}, language = {English}, urldate = {2019-12-20} } Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN
OilRig
2018-11-16Palo Alto Networks Unit 42Robert Falcone, Kyle Wilhoit
@online{falcone:20181116:analyzing:037fccb, author = {Robert Falcone and Kyle Wilhoit}, title = {{Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery}}, date = {2018-11-16}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/}, language = {English}, urldate = {2020-01-09} } Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery
OilRig
2018-09-14NetScoutASERT Team
@online{team:20180914:tunneling:c41e0f2, author = {ASERT Team}, title = {{Tunneling Under the Sands}}, date = {2018-09-14}, organization = {NetScout}, url = {https://www.netscout.com/blog/asert/tunneling-under-sands}, language = {English}, urldate = {2020-01-13} } Tunneling Under the Sands
BONDUPDATER
2018-09-12Palo Alto Networks Unit 42Kyle Wilhoit, Robert Falcone
@online{wilhoit:20180912:oilrig:5c64e44, author = {Kyle Wilhoit and Robert Falcone}, title = {{OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government}}, date = {2018-09-12}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/}, language = {English}, urldate = {2019-12-20} } OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government
BONDUPDATER
2018-09-12Palo Alto Networks Unit 42Kyle Wilhoit, Robert Falcone
@online{wilhoit:20180912:oilrig:5892017, author = {Kyle Wilhoit and Robert Falcone}, title = {{OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government}}, date = {2018-09-12}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/}, language = {English}, urldate = {2020-01-13} } OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government
OilRig
2018-08-03Github (Unit42)Unit42
@online{unit42:20180803:oilrig:ecb9dec, author = {Unit42}, title = {{OilRig Playbook}}, date = {2018-08-03}, organization = {Github (Unit42)}, url = {https://raw.githubusercontent.com/pan-unit42/playbook_viewer/master/playbook_json/oilrig.json}, language = {English}, urldate = {2020-01-08} } OilRig Playbook
OilRig
2018-07-25Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
@online{lee:20180725:oilrig:d332c68, author = {Bryan Lee and Robert Falcone}, title = {{OilRig Targets Technology Service Provider and Government Agency with QUADAGENT}}, date = {2018-07-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/}, language = {English}, urldate = {2019-11-29} } OilRig Targets Technology Service Provider and Government Agency with QUADAGENT
OilRig
2018-07-07Youtube (SteelCon)Dan Caban, Muks Hirani
@online{caban:20180707:youve:b02f5ff, author = {Dan Caban and Muks Hirani}, title = {{You’ve Got Mail!}}, date = {2018-07-07}, organization = {Youtube (SteelCon)}, url = {https://www.youtube.com/watch?time_continue=1333&v=1CGAmjAV8nI}, language = {English}, urldate = {2020-01-08} } You’ve Got Mail!
TwoFace
2018-04-20Booz Allen HamiltonJay Novak, Matthew Pennington
@online{novak:20180420:researchers:6764b0e, author = {Jay Novak and Matthew Pennington}, title = {{Researchers Discover New variants of APT34 Malware}}, date = {2018-04-20}, organization = {Booz Allen Hamilton}, url = {https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2}, language = {English}, urldate = {2020-01-06} } Researchers Discover New variants of APT34 Malware
BONDUPDATER POWRUNER
2018-03-25Vitali Kremez BlogVitali Kremez
@online{kremez:20180325:lets:070366d, author = {Vitali Kremez}, title = {{Let's Learn: Internals of Iranian-Based Threat Group "Chafer" Malware: Autoit and PowerShell Persistence}}, date = {2018-03-25}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/03/investigating-iranian-threat-group.html}, language = {English}, urldate = {2019-10-13} } Let's Learn: Internals of Iranian-Based Threat Group "Chafer" Malware: Autoit and PowerShell Persistence
OilRig
2018-03NyotronNYOTRON ATTACK RESPONSE CENTER
@techreport{center:201803:oilrig:b3c95ff, author = {NYOTRON ATTACK RESPONSE CENTER}, title = {{OilRig is Back with Next-Generation Tools and Techniques}}, date = {2018-03}, institution = {Nyotron}, url = {https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf}, language = {English}, urldate = {2019-10-13} } OilRig is Back with Next-Generation Tools and Techniques
GoogleDrive RAT
2018-02-23Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
@online{lee:20180223:oopsie:f09d30f, author = {Bryan Lee and Robert Falcone}, title = {{OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan}}, date = {2018-02-23}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/}, language = {English}, urldate = {2019-12-20} } OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan
OopsIE
2018-02-23Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
@online{lee:20180223:oopsie:3a5deb8, author = {Bryan Lee and Robert Falcone}, title = {{OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan}}, date = {2018-02-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/}, language = {English}, urldate = {2020-01-13} } OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan
OilRig
2018-01-25Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20180125:oilrig:80920f0, author = {Robert Falcone}, title = {{OilRig uses RGDoor IIS Backdoor on Targets in the Middle East}}, date = {2018-01-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/}, language = {English}, urldate = {2020-01-08} } OilRig uses RGDoor IIS Backdoor on Targets in the Middle East
OilRig
2018-01-17NCSC UKNCSC UK
@online{uk:20180117:turla:7563012, author = {NCSC UK}, title = {{Turla group malware}}, date = {2018-01-17}, organization = {NCSC UK}, url = {https://www.ncsc.gov.uk/alerts/turla-group-malware}, language = {English}, urldate = {2020-01-06} } Turla group malware
Nautilus Neuron
2017-12-15Palo Alto Networks Unit 42Ryan Olson
@online{olson:20171215:introducing:5d2ce88, author = {Ryan Olson}, title = {{Introducing the Adversary Playbook: First up, OilRig}}, date = {2017-12-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-introducing-the-adversary-playbook-first-up-oilrig/}, language = {English}, urldate = {2020-01-08} } Introducing the Adversary Playbook: First up, OilRig
OilRig
2017-12-11Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20171211:oilrig:8d7f26f, author = {Robert Falcone}, title = {{OilRig Performs Tests on the TwoFace Webshell}}, date = {2017-12-11}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/}, language = {English}, urldate = {2020-01-10} } OilRig Performs Tests on the TwoFace Webshell
TwoFace
2017-12-07FireEyeVincent Cannon, Nalani Fraser, Yogesh Londhe, Manish Sardiwal, Nick Richard, Jacqueline O’Leary
@online{cannon:20171207:new:035f809, author = {Vincent Cannon and Nalani Fraser and Yogesh Londhe and Manish Sardiwal and Nick Richard and Jacqueline O’Leary}, title = {{New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit}}, date = {2017-12-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html}, language = {English}, urldate = {2019-12-20} } New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit
APT34 OilRig
2017-11-08Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20171108:oilrig:a8a3089, author = {Robert Falcone}, title = {{OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan}}, date = {2017-11-08}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/}, language = {English}, urldate = {2019-12-20} } OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan
Alma Communicator
2017-10-09Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20171009:oilrig:71ea256, author = {Robert Falcone and Bryan Lee}, title = {{OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan}}, date = {2017-10-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/}, language = {English}, urldate = {2019-10-14} } OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan
OilRig
2017-09-26Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20170926:striking:45926d9, author = {Robert Falcone and Bryan Lee}, title = {{Striking Oil: A Closer Look at Adversary Infrastructure}}, date = {2017-09-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/}, language = {English}, urldate = {2020-01-08} } Striking Oil: A Closer Look at Adversary Infrastructure
OilRig
2017-08-28ClearSkyClearSky Research Team
@online{team:20170828:recent:fab1e53, author = {ClearSky Research Team}, title = {{Recent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug}}, date = {2017-08-28}, organization = {ClearSky}, url = {http://www.clearskysec.com/ismagent/}, language = {English}, urldate = {2019-12-19} } Recent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug
ISMAgent
2017-07-31Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20170731:twoface:8fe5f2d, author = {Robert Falcone and Bryan Lee}, title = {{TwoFace Webshell: Persistent Access Point for Lateral Movement}}, date = {2017-07-31}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/}, language = {English}, urldate = {2020-01-07} } TwoFace Webshell: Persistent Access Point for Lateral Movement
TwoFace OilRig
2017-04-27MorphisecMichael Gorelik
@online{gorelik:20170427:iranian:827f6f3, author = {Michael Gorelik}, title = {{Iranian Fileless Attack Infiltrates Israeli Organizations}}, date = {2017-04-27}, organization = {Morphisec}, url = {http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability}, language = {English}, urldate = {2019-12-04} } Iranian Fileless Attack Infiltrates Israeli Organizations
OilRig
2017-04-27Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20170427:oilrig:fd3e813, author = {Robert Falcone}, title = {{OilRig Actors Provide a Glimpse into Development and Testing Efforts}}, date = {2017-04-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/}, language = {English}, urldate = {2020-01-07} } OilRig Actors Provide a Glimpse into Development and Testing Efforts
OilRig
2017-04-24CERT-ILCERT-IL
@techreport{certil:20170424:wave:d0c610f, author = {CERT-IL}, title = {{Wave attacks against government agencies, academia and business entities in Israel}}, date = {2017-04-24}, institution = {CERT-IL}, url = {https://www.gov.il/BlobFolder/reports/attack_il/he/CERT-IL-ALERT-W-120.pdf}, language = {Hebrew}, urldate = {2020-05-18} } Wave attacks against government agencies, academia and business entities in Israel
OilRig
2017-02-15ForbesThomas Brewster
@online{brewster:20170215:inside:8b5faed, author = {Thomas Brewster}, title = {{Inside OilRig -- Tracking Iran's Busiest Hacker Crew On Its Global Rampage}}, date = {2017-02-15}, organization = {Forbes}, url = {https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a}, language = {English}, urldate = {2020-01-13} } Inside OilRig -- Tracking Iran's Busiest Hacker Crew On Its Global Rampage
OilRig
2017-01-05ClearSkyClearSky Research Team
@online{team:20170105:iranian:8a44c55, author = {ClearSky Research Team}, title = {{Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford}}, date = {2017-01-05}, organization = {ClearSky}, url = {https://www.clearskysec.com/oilrig/}, language = {English}, urldate = {2019-12-03} } Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford
OilRig
2017-01-05ClearSkyClearSky Research Team
@online{team:20170105:iranian:da7cfef, author = {ClearSky Research Team}, title = {{Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford}}, date = {2017-01-05}, organization = {ClearSky}, url = {http://www.clearskysec.com/oilrig/}, language = {English}, urldate = {2020-01-13} } Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford
OilRig
2016-11-30SymantecSymantec Security Response
@online{response:20161130:shamoon:23a43b0, author = {Symantec Security Response}, title = {{Shamoon: Back from the dead and destructive as ever}}, date = {2016-11-30}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/shamoon-back-dead-and-destructive-ever}, language = {English}, urldate = {2020-01-13} } Shamoon: Back from the dead and destructive as ever
OilRig
2016-11-30SymantecA L Johnson
@online{johnson:20161130:shamoon:50feb7c, author = {A L Johnson}, title = {{Shamoon: Back from the dead and destructive as ever}}, date = {2016-11-30}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Shamoon: Back from the dead and destructive as ever
DistTrack OilRig
2016-10-04Palo Alto Networks Unit 42Josh Grunzweig, Robert Falcone
@online{grunzweig:20161004:oilrig:72c4b0e, author = {Josh Grunzweig and Robert Falcone}, title = {{OilRig Malware Campaign Updates Toolset and Expands Targets}}, date = {2016-10-04}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/}, language = {English}, urldate = {2019-12-20} } OilRig Malware Campaign Updates Toolset and Expands Targets
Helminth
2016-10-04Palo Alto Networks Unit 42Josh Grunzweig, Robert Falcone
@online{grunzweig:20161004:oilrig:2e3b9e0, author = {Josh Grunzweig and Robert Falcone}, title = {{OilRig Malware Campaign Updates Toolset and Expands Targets}}, date = {2016-10-04}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/}, language = {English}, urldate = {2019-10-22} } OilRig Malware Campaign Updates Toolset and Expands Targets
OilRig
2016-05-26Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20160526:oilrig:99f488f, author = {Robert Falcone and Bryan Lee}, title = {{The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor}}, date = {2016-05-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/}, language = {English}, urldate = {2020-01-13} } The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor
OilRig
2016-05-26Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20160526:oilrig:89b6b4d, author = {Robert Falcone and Bryan Lee}, title = {{The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor}}, date = {2016-05-26}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/}, language = {English}, urldate = {2019-12-20} } The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor
Helminth
2016-05-22FireEyeSudeep Singh, Yin Hong Chang
@online{singh:20160522:targeted:5baf70d, author = {Sudeep Singh and Yin Hong Chang}, title = {{Targeted Attacks against Banks in the Middle East}}, date = {2016-05-22}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html}, language = {English}, urldate = {2019-12-20} } Targeted Attacks against Banks in the Middle East
Helminth OilRig
2016Palo Alto Networks Unit 42paloalto Networks: Unit42
@online{unit42:2016:unit:38f5c2e, author = {paloalto Networks: Unit42}, title = {{Unit 42 Playbook Viewer}}, date = {2016}, organization = {Palo Alto Networks Unit 42}, url = {https://pan-unit42.github.io/playbook_viewer/}, language = {English}, urldate = {2020-04-06} } Unit 42 Playbook Viewer
OilRig
2015-09-17F-SecureF-Secure Global
@online{global:20150917:dukes:5dc47f5, author = {F-Secure Global}, title = {{The Dukes: 7 Years Of Russian Cyber-Espionage}}, date = {2015-09-17}, organization = {F-Secure}, url = {https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/}, language = {English}, urldate = {2020-01-09} } The Dukes: 7 Years Of Russian Cyber-Espionage
TwoFace BONDUPDATER DNSpionage
2012-08-16SymantecSymantec Security Response
@online{response:20120816:shamoon:7eedf8f, author = {Symantec Security Response}, title = {{The Shamoon Attacks}}, date = {2012-08-16}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/shamoon-attacks}, language = {English}, urldate = {2020-01-13} } The Shamoon Attacks
OilRig
2012-08-16SymantecSymantec Security Response
@online{response:20120816:shamoon:8f8fe97, author = {Symantec Security Response}, title = {{The Shamoon Attacks}}, date = {2012-08-16}, organization = {Symantec}, url = {https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks}, language = {English}, urldate = {2020-04-21} } The Shamoon Attacks
DistTrack OilRig

Credits: MISP Project