The Iranian state-sponsored threat actor known as OilRig [1] [2], also referred to as APT34, has been conducting cyber attacks since at least 2014, primarily targeting organizations in the Middle East [4].

Description

In 2022, OilRig deployed three new downloader malware [1] [2] [3] [6], named ODAgent [1] [2] [6], OilCheck [1] [2] [3] [4] [5] [6], and OilBooster [1] [2] [3] [4] [5] [6], to maintain persistent access to victim organizations in Israel [1] [2] [3] [5] [6]. These downloaders utilize legitimate cloud service APIs [2] [3] [6], such as Microsoft Graph OneDrive and Outlook APIs [1] [2] [3] [5] [6], as well as the Microsoft Office Exchange Web Services (EWS) API [1] [2] [3] [5] [6], for command-and-control communication and data exfiltration [1] [2] [3] [5] [6]. The goal is to blend with authentic network traffic and cover up the group’s attack infrastructure [2] [6]. While the downloaders themselves may not be highly sophisticated [4], OilRig’s continuous development and testing of new variants [4] [5], along with their use of different cloud services [4], make them a formidable adversary [4]. OilRig’s attack patterns show a repetitive nature [4], targeting the same organizations repeatedly [4]. The campaign specifically targets healthcare, manufacturing [1] [2] [3] [4] [6], and local governmental organizations in Israel [1] [2] [3] [4] [6]. The initial access vector used to compromise the targets remains unknown [1] [2] [3] [6]. OilRig has also been observed using various other malware, including MrPerfectionManager [2] [3] [4] [6], PowerExchange [1] [2] [3] [4] [5] [6], Solar [2] [6], Mango [2] [6], and Menorah [2] [6]. ESET researchers have analyzed these downloaders and confidently attribute them to OilRig. The downloaders ODAgent [1] [2] [4] [5] [6], SampleCheck5000 [2] [3] [4] [5] [6], OilBooster [1] [2] [3] [4] [5] [6], and OilCheck utilize different APIs for command-and-control communications and payload execution [6]. They also share similarities with other OilRig tools in terms of using email-based C2 protocols to exfiltrate data [1] [6]. ESET has provided indicators of compromise to assist potential targets in identifying these attacks [4].

Conclusion

To mitigate the impact of OilRig’s cyber attacks, it is recommended to implement Zero Trust Security measures to safeguard data in today’s world. This includes being cautious of any suspicious activity and regularly updating security protocols. The continuous development and testing of new variants by OilRig highlight the need for organizations to stay vigilant and adapt their security measures accordingly. By staying informed and implementing appropriate security measures, organizations can better protect themselves against the threats posed by OilRig and similar threat actors.

References

[1] https://thehackernews.com/2023/12/iranian-state-sponsored-oilrig-group.html
[2] https://www.techidee.nl/de-door-de-iraanse-staat-gesponsorde-oilrig-group-implementeert-drie-nieuwe-malware-downloaders/3393/
[3] https://owasp.or.id/2023/12/14/iranian-state-sponsored-oilrig-group-deploys-3-new-malware-downloaders/
[4] https://zerosecurity.org/2023/12/iranian-cyber-group-oilrig-unleashes-advanced-tactics-in-targeted-assaults-on-israeli-organizations/
[5] https://www.eset.com/sg/about/newsroom/press-releases1/products/iran-linked-oilrig-attacks-israeli-organizations-with-cloud-service-powered-downloaders-eset-researc/
[6] https://ciso2ciso.com/iranian-state-sponsored-oilrig-group-deploys-3-new-malware-downloaders-sourcethehackernews-com/