A threat group known as OilRig has been using custom-built malware that leverages DNS tunneling to secretly communicate with their servers, allowing them to control infected systems and steal data.

Who is behind the attack?

The attacks were conducted by OilRig, a group active since at least 2016, known for targeting organizations primarily in the Middle East.

What was the goal of the attack?

The goal was to maintain covert access to compromised systems, exfiltrate sensitive data, and deliver follow-on payloads through persistent DNS-based channels.

How widespread is this activity?

While the operations are sophisticated and targeted, OilRig has repeatedly updated their tools and techniques, indicating sustained campaigns against multiple organizations over several years.

Which industries were targeted?

The documented campaigns included attacks on government entities, technology providers, and organizations in the Middle East.

How does the attack work?

The malware sends specially crafted DNS queries to actor-controlled domains, embedding encoded data within those queries and interpreting DNS responses as instructions or additional payloads.

Why use DNS tunneling?

DNS is often overlooked in security monitoring and permitted through firewalls, making it an effective way to bypass traditional network defenses and maintain stealthy communication.

What can organizations do to protect themselves?

Monitor DNS traffic for anomalies, block suspicious domains, update endpoint defenses, and train employees to recognize phishing attempts.

Is this a widespread or targeted threat?

This is primarily a targeted threat aimed at specific organizations, but the techniques could be adapted for broader use if not adequately mitigated.

Threats Feed|OilRig|Last Updated 02/07/2025|AuthorCertfa Radar|Publish Date16/04/2019

Analyzing OilRig's Use of DNS Tunneling in Cyber Espionage Campaigns

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Malware,Trojan
Attack Complexity: Medium
Threat Risk: High Impact/High Probability

Threat Overview

The report highlights OilRig’s deployment of tools like Helminth, ISMAgent, ALMACommunicator, BONDUPDATER, and QUADAGENT, which utilize DNS queries to communicate stealthily with C2 servers. This covert communication method is favored due to DNS's typical allowance through security devices. The group has evolved its DNS tunneling protocols over time, using customized subdomains and encoding techniques to transmit data and evade detection effectively.

Reference and Credit: Palo Alto Network - April 2019

DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling

Detected Targets

Type	Description	Confidence
Sector	Government Agencies and Services	Verified
Region	Saudi Arabia	Verified
Region	Middle East Countries	Verified

Extracted IOCs

acrobatverify[.]com
go0gie[.]com
ntpupdateserver[.]com
poison-frog[.]club
prosalar[.]com
withyourface[.]com
089bf971e8839db818ac462f53f82daed523c413bfc2e01fb76dd70b37162afe
0ec288ac8c4aa045a45526c2939dbd843391c9c75fa4a3bcc0a6d7dc692fdcd1
1b2fee00d28782076178a63e669d2306c37ba0c417708d4dc1f751765c3f94e1
1f6369b42a76d02f32558912b57ede4f5ff0a90b18d3b96a4fe24120fa2c300c
3986d54b00647b507b2afd708b7a1ce4c37027fb77d67c6bc3c20c3ac1a88ca4
4b5112f0fb64825b879b01d686e8f4d43521252a3b4f4026c9d1d76d3f15b281
52366b9ab2eb1d77ca6719a40f4779eb302dca97a832bd447abf10512dc51ed9
662c53e69b66d62a4822e666031fd441bbdfa741e20d4511c6741ec3cb02475f
7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00
a9f1375da973b229eb649dc3c07484ae7513032b79665efe78c0e55a6e716821
d5c1822a36f2e7107d0d4c005c26978d00bcb34a587bd9ccf11ae7761ec73fb7
d808f3109822c185f1d8e1bf7ef7781c219dc56f5906478651748f0ace489d34
de620a0511d14a2fbc9b225ebfda550973d956ab4dec7e460a42e9d2d3cf0588
e52b8b0e8225befec156b355b3022faf5617542b82aa54f9f42088aa05a4ec49
f37b1bbf5a07759f10e0298b861b354cee13f325bc76fbddfaacd1ea7505e111
f5a64de9087b138608ccf036b067d91a47302259269fb05b3349964ca4060e7e

download

Tip: 22 related IOCs (0 IP, 6 domain, 0 URL, 0 email, 16 file hash) to this threat have been found.

FAQs

Understanding OilRig’s DNS Tunneling Operations

: A threat group known as OilRig has been using custom-built malware that leverages DNS tunneling to secretly communicate with their servers, allowing them to control infected systems and steal data.
: The attacks were conducted by OilRig, a group active since at least 2016, known for targeting organizations primarily in the Middle East.
: The goal was to maintain covert access to compromised systems, exfiltrate sensitive data, and deliver follow-on payloads through persistent DNS-based channels.
: While the operations are sophisticated and targeted, OilRig has repeatedly updated their tools and techniques, indicating sustained campaigns against multiple organizations over several years.
: The documented campaigns included attacks on government entities, technology providers, and organizations in the Middle East.
: The malware sends specially crafted DNS queries to actor-controlled domains, embedding encoded data within those queries and interpreting DNS responses as instructions or additional payloads.
: DNS is often overlooked in security monitoring and permitted through firewalls, making it an effective way to bypass traditional network defenses and maintain stealthy communication.
: Monitor DNS traffic for anomalies, block suspicious domains, update endpoint defenses, and train employees to recognize phishing attempts.
: This is primarily a targeted threat aimed at specific organizations, but the techniques could be adapted for broader use if not adequately mitigated.

About Affiliation

OilRig

Associate threats