A cyber-espionage group known as OilRig launched a targeted phishing campaign against a UAE government entity, delivering advanced malware via malicious Word documents.

Who was behind the attack?

The threat group identified as OilRig, likely based in the Middle East, is known for targeting regional government and energy sectors using stealthy custom malware.

What was the purpose of the attack?

The goal was to establish long-term access, collect sensitive information, and potentially move laterally within the compromised network.

This campaign specifically targeted the United Arab Emirates government, though OilRig has a history of attacking other Middle Eastern organizations.

How was the attack carried out?

Attackers sent phishing emails from compromised internal accounts, containing malicious documents that installed a Trojan capable of injecting backdoor malware into system processes.

Why is the UAE a target?

As a geopolitical and economic hub in the Middle East, the UAE is an attractive target for espionage-focused threat actors seeking sensitive governmental or diplomatic information.

What’s new or concerning about this attack?

OilRig used a newly developed Trojan with anti-analysis techniques and sophisticated persistence mechanisms, showing a clear evolution in their toolset.

Is this a widespread threat or a targeted one?

This was a targeted attack, part of a broader trend of state-aligned cyber campaigns in the Middle East, rather than a global malware outbreak.

What can organizations do to stay protected?

Use multi-factor authentication, educate staff about phishing, monitor internal traffic, and keep software up to date. Blocking known malicious domains and detecting unusual use of administrative tools like certutil is also critical.

Threats Feed|OilRig|Last Updated 28/01/2026|AuthorCertfa Radar|Publish Date09/10/2017

Inside OilRig's Attack on UAE Government: ISMInjector and CVE-2017-0199 Exploit in Play

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Backdoor,Downloader,Dropper,Malicious Macro,Malware,Spear Phishing
Attack Complexity: Medium
Threat Risk: High Impact/High Probability

Threat Overview

The OilRig group launched a spear-phishing attack on an organization within the United Arab Emirates government on August 23, 2017. The phishing email contained two malicious attachments, and also used an image hosted on an adversary-owned server to potentially track email opens. OilRig likely gained access to a user's Outlook Web Access (OWA) account within the targeted organization to send phishing emails internally. The attachments included a document with a malicious macro and a file that attempted to exploit the CVE-2017-0199 vulnerability. The ultimate payloads were the new ISMInjector tool and the ISMAgent Trojan, with infrastructure linked to previous OilRig campaigns.

Reference and Credit: Palo Alto Networks - October 2017

OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan

Detected Targets

Type	Description	Confidence
Sector	Government Agencies and Services The attack targeted the government sector within the United Arab Emirates.	Verified
Region	United Arab Emirates The United Arab Emirates was the country specifically targeted in the attack mentioned in the report.	Verified

Exploited Vulnerabilities

NIST NVD: CVE-2017-0199

Extracted IOCs

adpolioe[.]com
cdnakamaiplanet[.]com
cdnmsnupdate[.]com
microsoft-publisher[.]com
msoffice365update[.]com
msoffice-cdn[.]com
ntpupdateserver[.]com
office365-management[.]com
0ccb2117c34e3045a4d2c0d193f1963c8c0e8566617ed0a561546c932d1a5c0c
119c64a8b35bd626b3ea5f630d533b2e0e7852a4c59694125ff08f9965b5f9cc
33c187cfd9e3b68c3089c27ac64a519ccc951ccb3c74d75179c520f54f11f647
66358a295b8b551819e053f2ee072678605a5f2419c1c486e454ab476c40ed6a
74f61b6ff0eb58d76f4cacfb1504cb6b72684d0d0980d42cba364c6ef28223a8
963f93824d87a56fe91283652eab5841e2ec538c207091dbc9606b962e38805d
a9f1375da973b229eb649dc3c07484ae7513032b79665efe78c0e55a6e716821
f92ab374edd488d85f2e113b40ea8cb8baf993f5c93c12455613ad3265f42b17
fcad263d0fe2b418db05f47d4036f0b42aaf201c9b91281dfdcb3201b298e4f4
74[.]91.19.108
74[.]91.19.122
82[.]102.14.216
82[.]102.14.222
82[.]102.14.246
hxxp://82[.]102.14.246/webdav/aws[.]exe

download

Tip: 23 related IOCs (5 IP, 8 domain, 1 URL, 0 email, 9 file hash) to this threat have been found.

Overlaps

GreenbugDecoding Greenbug Group's Command and Control Communications via DNS Tunneling

Source: DomainTools - December 2019

Detection (three cases): microsoft-publisher[.]com, msoffice365update[.]com, ntpupdateserver[.]com

UnknownxHunt Campaign Targets Kuwait's Transportation and Shipping Sectors

Source: Palo Alto Network - September 2019

Detection (two cases): 82[.]102.14.222, microsoft-publisher[.]com

OilRigOilRig's Global Cyber Offensive: Credential Theft and Persistent Access

Source: Palo Alto Network - April 2019

Detection (two cases): msoffice-cdn[.]com, office365-management[.]com

OilRigAnalyzing OilRig's Use of DNS Tunneling in Cyber Espionage Campaigns

Source: Palo Alto Network - April 2019

Detection (two cases): a9f1375da973b229eb649dc3c07484ae7513032b79665efe78c0e55a6e716821, ntpupdateserver[.]com

OilRigAdapting and Evolving: A Look at the OilRig's QUADAGENT-Driven Attacks

Source: Palo Alto Networks - July 2018

Detection (one case): 119c64a8b35bd626b3ea5f630d533b2e0e7852a4c59694125ff08f9965b5f9cc

OilRigDecoding OilRig's New Cyberthreat: How OopsIE Trojan Targeted Middle East Organizations

Source: Palo Alto Networks - February 2018

Detection (two cases): msoffice-cdn[.]com, office365-management[.]com

GreenbugPotential Cyber Targets Revealed in Greenbug's Domain Registrations: Israeli and Saudi Firms in Focus

Source: ClearSky - October 2017

Detection (one case): ntpupdateserver[.]com

GreenbugThe Base64 Disguise: How GreenBug's Trojan ISMAgent Evades Detection

Source: ClearSky - August 2017

Detection (seven cases): 74[.]91.19.122, 82[.]102.14.246, hxxp://82[.]102.14.246/webdav/aws[.]exe, 33c187cfd9e3b68c3089c27ac64a519ccc951ccb3c74d75179c520f54f11f647, 66358a295b8b551819e053f2ee072678605a5f2419c1c486e454ab476c40ed6a, cdnmsnupdate[.]com, msoffice-cdn[.]com

OilRigOilRig and Greenbug Connection: Expanding Threats with Modified Trojans

Source: Palo Alto Network - July 2017

Detection (two cases): microsoft-publisher[.]com, ntpupdateserver[.]com

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

FAQs

Understanding the OilRig Attacks on UAE Government

: A cyber-espionage group known as OilRig launched a targeted phishing campaign against a UAE government entity, delivering advanced malware via malicious Word documents.
: The threat group identified as OilRig, likely based in the Middle East, is known for targeting regional government and energy sectors using stealthy custom malware.
: The goal was to establish long-term access, collect sensitive information, and potentially move laterally within the compromised network.
: This campaign specifically targeted the United Arab Emirates government, though OilRig has a history of attacking other Middle Eastern organizations.
: Attackers sent phishing emails from compromised internal accounts, containing malicious documents that installed a Trojan capable of injecting backdoor malware into system processes.
: As a geopolitical and economic hub in the Middle East, the UAE is an attractive target for espionage-focused threat actors seeking sensitive governmental or diplomatic information.
: OilRig used a newly developed Trojan with anti-analysis techniques and sophisticated persistence mechanisms, showing a clear evolution in their toolset.
: This was a targeted attack, part of a broader trend of state-aligned cyber campaigns in the Middle East, rather than a global malware outbreak.
: Use multi-factor authentication, educate staff about phishing, monitor internal traffic, and keep software up to date. Blocking known malicious domains and detecting unusual use of administrative tools like certutil is also critical.

About Affiliation

OilRig

Associate threats