In a series of cyber offensives carried out throughout 2022, the prolific Iranian advanced persistent threat group (APT) known as OilRig has demonstrated a noteworthy shift in its modus operandi. The attacks were marked by the deployment of four new downloaders—SampleCheck5000 (SC5k v1-v3), ODAgent, OilCheck, and OilBooster. These tools, developed in the past year, were unveiled by researchers from ESET in a blog post released on December 14.
Notably, these downloaders distinguish themselves from other tools in OilRig’s arsenal by leveraging various legitimate Microsoft cloud services for communication with attackers and data exfiltration. The cloud services employed include Microsoft OneDrive, Microsoft Graph OneDrive API, Microsoft Graph Outlook API, and Microsoft Office EWS API, according to the research findings.
ESET’s analysis revealed that the targets of these cyberattacks included a healthcare organization, a manufacturing company, a local governmental organization, and several other unidentified entities, all situated in Israel. Most of these targets had been previously subjected to attacks by OilRig.
While the downloaders themselves may not be highly sophisticated, as pointed out by ESET researcher Zuzana Hromcová, their effectiveness lies in the group’s continuous development and testing of new variants. Furthermore, OilRig’s experimentation with different cloud services and programming languages, coupled with its unwavering commitment to repeatedly compromise the same targets, positions the group as a formidable adversary in the cyber landscape.
In a press statement, Hromcová emphasized that the group’s evolution and tactics make OilRig one to closely monitor. The use of downloaders, especially those leveraging cloud services, demonstrates the group’s adaptability and evasion strategies, allowing the malware to seamlessly integrate into normal network traffic. This tactical choice is believed to be a key factor in why OilRig deploys these downloaders against previously targeted victims, according to ESET’s insights.
OilRig APT: A Shifting Cyber Threat With Persistent Tactics
Since 2014, the cyber threat known as OilRig has been a consistent presence, primarily operating in the Middle East and focusing its efforts on organizations across diverse industries like chemical, energy, finance, and telecommunications.
This group, specializing in cyber espionage, recently gained attention due to its involvement in a supply chain attack in the United Arab Emirates (UAE). However, this is just one among many incidents linked to OilRig. In the past year, the group’s activities prompted the U.S. government to impose sanctions on Iran’s intelligence arm, suspected of sponsoring OilRig.
ESET, a cybersecurity research firm, identified OilRig as the culprit behind repeated cyber attacks on Israeli organizations. The evidence lies in the similarity between the downloaders used and other tools in OilRig’s arsenal, such as the MrPerfectionManager and PowerExchange backdoors, both utilizing email-based C2 (command-and-control) protocols.
OilRig’s attack patterns seem to follow a familiar script, displaying a repetitive nature, according to researchers. Between June and August 2022, ESET detected downloaders like OilBooster, SC5k v1, and SC5k v2, as well as the Shark backdoor, within the network of an Israeli local governmental organization—a target previously hit by OilRig.
In a subsequent discovery, ESET found another version of SC5k (v3) in the network of an Israeli healthcare organization, previously victimized by OilRig. ODAgent, another tool in OilRig’s arsenal, surfaced in the network of an Israeli manufacturing company, a target previously affected by SC5k and OilCheck.
“OilRig is persistent in targeting the same organizations, and determined to keep its foothold in compromised networks,” cautioned the researchers.
To assist potential targets in identifying potential compromises from these recent attacks, ESET provided a comprehensive list of indicators of compromise (IoC) in their blog post. This includes files, network activities, and techniques based on the MITRE ATT&CK framework.
Exploring the Covert Tactics of OilRig’s Sneaky Backdoor Malware
Delving into the intricacies of OilRig’s stealthy backdoor malware unveils a sophisticated landscape where different downloaders play distinct roles, each crafted with precision.
Written in C++/.NET, the downloaders, including OilBooster, exhibit unique functionalities. Despite their differences, a common thread among them is the utilization of a shared email or cloud storage account for communication with OilRig operators. This shared account serves as a conduit for exchanging messages that can be leveraged against multiple victims.
SC5k, the earliest downloader to emerge (as early as November 2021), deploys several variants and relies on legitimate cloud services. All variants, including SC5k, utilize the Microsoft Office EWS API to interact with a shared Exchange mail account. This interaction facilitates the downloading of additional payloads and commands, as well as the uploading of data.
OilCheck, discovered in April 2022, takes a similar approach by using draft messages in a shared email account for two-way C2 communication. However, it distinguishes itself from SC5k by utilizing the REST-Microsoft Graph API to access a shared Microsoft 365 Outlook email account, departing from the SOAP-based Microsoft Office EWS API.
In contrast, OilBooster, also utilizing the Microsoft Graph API, connects to a Microsoft 365 account. However, it diverges from OilCheck by interacting with a OneDrive account controlled by the attackers for C2 communication and exfiltration, rather than an Outlook account. OilBooster boasts capabilities such as downloading files from the remote server, executing files and shell commands, and exfiltrating the results.
ODAgent, believed to be a precursor of OilBooster, employs the Microsoft Graph API to access an attacker-controlled OneDrive account for C2 communication and exfiltration. Similar to OilBooster, ODAgent repeatedly connects to the shared OneDrive account, listing the contents of the victim-specific folder to obtain additional payloads and backdoor commands, according to researchers. This intricate web of techniques underscores the evolving tactics of OilRig’s backdoor malware.