Threats Feed|OilRig|Last Updated 24/01/2025|AuthorCertfa Radar|Publish Date13/12/2024

OilRig's Cyber Tactics: Targeting Middle East Sectors with Stealthy Attacks

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Vulnerability Exploitation,Backdoor,Malware,Spear Phishing
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

OilRig (APT34) has targeted the government, technology and energy sectors across the Middle East. Its operations include spearphishing campaigns, PowerShell-based backdoors (Helminth, QUADAGENT), and exploitation of vulnerabilities such as CVE-2024-30088. The group relies on obfuscation techniques to evade detection and uses tools such as STEALHOOK for privilege escalation, lateral movement and data exfiltration. Key targets include Saudi Arabian organisations and Middle Eastern government agencies, highlighting OilRig's focus on geopolitical intelligence gathering. The campaigns demonstrate advanced persistence, stealth and adaptability in line with state-sponsored objectives.

Reference and Credit: Picus Security - December 2024

OilRig Exposed: Unveiling the Tools and Techniques of APT34

Detected Targets

TypeDescriptionConfidence
SectorGovernment Agencies and Services
Verified
SectorInformation Technology
Verified
SectorEnergy
Verified
SectorOil and Gas
Verified
SectorTelecommunication
Verified
RegionSaudi Arabia
Verified
RegionMiddle East Countries
Verified

Exploited Vulnerabilities

NIST NVD: CVE-2024-30088

Extracted IOCs

  • 0ca0febadb1024b0a8961f21edbf3f6df731ca4dd82702de3793e757687aefbc
  • 1f6369b42a76d02f32558912b57ede4f5ff0a90b18d3b96a4fe24120fa2c300c
  • 5db93f1e882f4d7d6a9669f8b1ab091c0545e12a317ba94c1535eb86bc17bd5b
  • 9f31a1908afb23a1029c079ee9ba8bdf0f4c815addbe8eac85b4163e02b5e777
  • d7130e42663e95d23c547d57e55099c239fa249ce3f6537b7f2a8033f3aa73de
download

Tip: 5 related IOCs (0 IP, 0 domain, 0 URL, 0 email, 5 file hash) to this threat have been found.

Overlaps

OilRigAnalyzing OilRig's Use of DNS Tunneling in Cyber Espionage Campaigns

Source: Palo Alto Network - April 2019

Detection (one case): 1f6369b42a76d02f32558912b57ede4f5ff0a90b18d3b96a4fe24120fa2c300c

OilRigAdapting and Evolving: A Look at the OilRig's QUADAGENT-Driven Attacks

Source: Palo Alto Networks - July 2018

Detection (two cases): 1f6369b42a76d02f32558912b57ede4f5ff0a90b18d3b96a4fe24120fa2c300c, d7130e42663e95d23c547d57e55099c239fa249ce3f6537b7f2a8033f3aa73de

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
OilRig
View OilRig's Insights