OilRig Continues Assault on Middle Eastern Governments and Businesses with BONDUPDATER
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Dropper,Malicious Macro,Malware,Trojan,Spear Phishing
- Attack Complexity: Medium
- Threat Risk: Low Impact/Low Probability
Threat Overview
The OilRig group has continued its cyber attacks, mainly in the Middle East. The group targeted governmental organizations using spear-phishing emails, delivering an updated Trojan known as BONDUPDATER. The Trojan allows threat actors to upload and download files, execute commands, and uses DNS tunneling for C2 communications. It also employs a new technique of DNS tunneling protocol via DNS TXT records. The continued onslaught of OilRig attacks into 2018 is of concern, with variations of previous tools being reused, capitalizing on their prior success.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Government Agencies and Services The report identifies the target as governmental organization in the Middle East. | Verified |
| Region | Middle East Countries | Verified |
Extracted IOCs
- withyourface[.]com
- 7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00
- c0018a2e36c7ef8aa15b81001a19c4127ad7cd21ae410c1f854e5dadfa98b322
- d5c1822a36f2e7107d0d4c005c26978d00bcb34a587bd9ccf11ae7761ec73fb7
- 99[.]250.250.199
Tip: 5 related IOCs (1 IP, 1 domain, 0 URL, 0 email, 3 file hash) to this threat have been found.
Overlaps
Source: Netscout - September 2019
Detection (one case): withyourface[.]com
Source: Palo Alto Network - April 2019
Detection (three cases): 7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00, d5c1822a36f2e7107d0d4c005c26978d00bcb34a587bd9ccf11ae7761ec73fb7, withyourface[.]com
Source: Palo Alto Networks - November 2018
Detection (two cases): 7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00, withyourface[.]com
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.
FAQs
Understanding the Oilrig "BONDUPDATER" Campaign
A specific threat group launched a cyber attack using a deceptive email (phishing) containing a malicious Microsoft Word document. When opened, this document installed software that allowed the attackers to control the computer remotely and steal data.
The attack was conducted by the Oilrig threat group. They are a known cyber espionage group often associated with targeting entities in the Middle East.
The primary goal appears to be espionage and persistent access. The malware installed is designed to receive commands and upload files from the infected computer to a server controlled by the attackers.
The attack was highly specific, targeting a high-ranking office within a Middle Eastern nation. This suggests a motive related to intelligence gathering rather than financial gain.
The attackers sent an email with a "weaponized" document. Once the user opened it, a script ran in the background to install a "Trojan" virus named BONDUPDATER. This virus sets up a recurring task to ensure it stays active on the system and communicates with the attackers through hidden signals inside DNS (internet directory) traffic.
This attack is notable because the attackers updated their software (BONDUPDATER) with new capabilities. They added a new method of communication using "TXT records" to hide their traffic better and added a self-destruct timer to the software to prevent it from crashing or being easily detected by running for too long.
Organizations should verify their email security to block malicious attachments and monitor their network traffic for unusual DNS requests. Specifically, IT teams should look for unauthorized files created in the C:\ProgramData\ folders.
Based on the report, this was a targeted campaign directed at a specific high-ranking office, rather than a broad attack affecting the general public. However, the techniques used could be deployed against other targets.