Threats Feed

The OilRig group has continued its cyber attacks, mainly in the Middle East. The group targeted governmental organizations using spear-phishing emails, delivering an updated Trojan known as BONDUPDATER. The Trojan allows threat actors to upload and download files, execute commands, and uses DNS tunneling for C2 communications. It also employs a new technique of DNS tunneling protocol via DNS TXT records. The continued onslaught of OilRig attacks into 2018 is of concern, with variations of previous tools being reused, capitalizing on their prior success.

The OilRig group continued its espionage activities, primarily within the Middle East. Between May and June 2018, they orchestrated multiple attacks using compromised accounts from a Middle Eastern government agency, targeting a technology services provider and another government entity. The group leveraged a PowerShell backdoor called QUADAGENT and employed spear-phishing tactics, obfuscation using the Invoke-Obfuscation toolkit, and PE files to achieve their objectives. They also used stolen credentials and decoy dialog boxes to reduce suspicion and evade detection.

The OilRig group continued its espionage activities, primarily within the Middle East. Between May and June 2018, they orchestrated multiple attacks using compromised accounts from a Middle Eastern government agency, targeting a technology services provider and another government entity. The group leveraged a PowerShell backdoor called QUADAGENT and employed spear-phishing tactics, obfuscation using the Invoke-Obfuscation toolkit, and PE files to achieve their objectives. They also used stolen credentials and decoy dialog boxes to reduce suspicion and evade detection.

The OilRig threat group initiated an attack targeting organizations in the Middle East through spear-phishing emails with a malicious Microsoft Word document called ThreeDollars. The document contained a new payload, OopsIE Trojan, which was delivered either directly or through the document. OilRig implemented different delivery tactics due to prior encounters with their targeted organization. They also adopted password-protected documents as an evasion tactic. The OopsIE Trojan communicated with a C2 server and executed commands provided by it.

OilRig was identified by Unit 42 as deploying a secondary backdoor, RGDoor, via the TwoFace webshell to regain access to compromised webservers once TwoFace was detected and removed. Targeting eight Middle Eastern government organizations, a financial institution, and an educational institution, RGDoor allows OilRig to execute commands and upload and download files from the server. The backdoor was created using C++, resulting in a DLL that relies on HTTP POST requests to communicate with the backdoor.

Unit 42 monitored OilRig's testing of the TwoFace webshell, specifically its TwoFace++ variant, to evade detection by security tools. Analysis revealed that OilRig's developers systematically modified the webshell's loader script to reduce detection rates, ultimately achieving zero detection by altering code related to the embedded payload's update functionality. The testing involved decoding and encrypting webshell data and frequent code alterations to pinpoint and circumvent security measures. Additionally, another webshell, named DarkSeaGreenShell, was discovered during these tests.

The Iranian cyber espionage group APT34 exploited two vulnerabilities (CVE-2017-0199 and CVE-2017-11882) in Microsoft Office to deliver malicious payloads against Middle Eastern governmental organizations. The group utilized spear-phishing emails with malicious .rtf files attached, which upon opening, exploited the vulnerabilities and executed malicious scripts. The scripts, POWRUNER and BONDUPDATER, performed actions such as persistence and command-and-control (C2) communication, including use of a domain generation algorithm (DGA) to evade detection.

The OilRig threat group has been utilizing a refined version of the Clayslide delivery document for spear-phishing attacks since May 2016. Recently, they have developed a new custom Trojan named "ALMA Communicator", and incorporated the use of Mimikatz for credential harvesting in the delivery phase of the attack. The targets included an individual at a public utilities company in the Middle East. ALMA Communicator uses DNS tunneling for C2 communication and has some data transfer limitations, which may have prompted the early deployment of Mimikatz.

The OilRig group launched a spear-phishing attack on an organization within the United Arab Emirates government on August 23, 2017. The phishing email contained two malicious attachments, and also used an image hosted on an adversary-owned server to potentially track email opens. OilRig likely gained access to a user's Outlook Web Access (OWA) account within the targeted organization to send phishing emails internally. The attachments included a document with a malicious macro and a file that attempted to exploit the CVE-2017-0199 vulnerability. The ultimate payloads were the new ISMInjector tool and the ISMAgent Trojan, with infrastructure linked to previous OilRig campaigns.

Between April 19-24, 2017, several Israeli organizations, including high-tech development companies, medical entities, and educational institutions were targeted by a politically motivated campaign attributed to the Iranian hacker group responsible for the OilRig malware campaigns. The fileless attack was delivered through compromised email accounts at Ben-Gurion University using Microsoft Word documents exploiting the CVE-2017-0199 vulnerability. The Helminth Trojan was installed as a result, bearing a striking similarity to the OilRig campaign conducted against Middle Eastern financial institutions the previous year. The threat actors exploited the gap between patch release and rollout, with active C&C servers still operational at the time of report publication.

The Iranian threat agent OilRig, active since the end of 2015, has been implicated in a wave of cyber attacks targeting several countries, namely Israel, Turkey, Qatar, Kuwait, UAE, Saudi Arabia, and Lebanon. In their most recent campaigns, they have leveraged advanced strategies, setting up fake VPN portals, counterfeit websites, and using stolen code signing certificates to give their malware an appearance of authenticity. This not only illustrates their high technical capability, but also underscores the complexity and effectiveness of their operations. These attacks have largely targeted IT and financial institutions, causing significant concerns in these sectors.