A threat group known as OilRig has been actively updating its malware toolset and expanding its attacks against various government and corporate targets across multiple countries.

Who is behind this attack?

The group is believed to be linked to Iranian-based threat actors, known for cyber-espionage operations against Middle Eastern and Western organizations.

What was the goal of the attack?

The campaign aims to conduct espionage by compromising target systems, maintaining access, and exfiltrating sensitive data through stealthy methods like DNS-based command and control.

Targets include government organizations and companies in Saudi Arabia, Qatar, Turkey, Israel, and the United States, indicating a focus on high-value geopolitical and strategic interests.

How was the attack carried out?

Attackers used spear-phishing emails with malicious Excel documents containing embedded macros. Once executed, these documents deployed malware that communicates with remote servers via HTTP and DNS.

Why are these targets attractive to the attackers?

The targeted entities likely possess sensitive political, economic, or military information valuable for strategic intelligence gathering.

What can organizations do to protect themselves?

Organizations should enhance email security, monitor network traffic for suspicious activity, enforce macro restrictions, and keep security tools updated to detect known malware variants.

Is this a widespread issue or a targeted one?

This campaign is highly targeted, focusing on specific organizations of strategic interest, rather than being a broad, opportunistic attack.

Threats Feed|OilRig|Last Updated 24/04/2025|AuthorCertfa Radar|Publish Date04/10/2016

OilRig Campaign: Malware Updates and Expanded Global Targets

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Backdoor,Downloader,Dropper,Malicious Macro,Malware,Spear Phishing
Attack Complexity: Medium
Threat Risk: Low Impact/High Probability

Threat Overview

The OilRig cyberattack campaign, first analyzed in May 2016, continues to evolve, targeting government organizations and companies in Saudi Arabia, Qatar, Turkey, Israel, and the United States. Using spear-phishing emails with malicious Microsoft Excel documents, the attackers have updated their toolset, including Clayslide delivery documents and the Helminth backdoor. The malware communicates with remote servers via HTTP and DNS for command and control. Despite its lack of sophistication, the malware successfully operates under the radar in many establishments due to techniques like DNS command and control.

Reference and Credit: Palo Alto Networks - October 2016

OilRig Malware Campaign Updates Toolset and Expands Targets

Detected Targets

Type	Description	Confidence
Sector	Government Agencies and Services	Verified
Region	Israel	Verified
Region	Qatar	Verified
Region	Saudi Arabia The countries that were targeted by the attack include Saudi Arabia, Qatar, Turkey, Israel, and the United States.	Verified
Region	Turkey	Verified
Region	United States	Verified

Extracted IOCs

go0gie[.]com
googleupdate[.]download
shalaghlagh[.]tk
update-kernal[.]net
upgradesystems[.]info
winodwsupdates[.]me
yahoooooomail[.]com
005dde45a6f1d9b2a254e71f89f12ab0dfaaa48d081f5c0a434800bd5c327086
089bf971e8839db818ac462f53f82daed523c413bfc2e01fb76dd70b37162afe
0b9437dd87a3c24ed7d200f9b870d69f9b7ad918c51325c11444df8bc6fb97ba
0cd9857a3f626f8e0c07495a4799c59d502c4f3970642a76882e3ed68b790f8e
0ec288ac8c4aa045a45526c2939dbd843391c9c75fa4a3bcc0a6d7dc692fdcd1
1b2fee00d28782076178a63e669d2306c37ba0c417708d4dc1f751765c3f94e1
299bc738d7b0292820d99028289280ba24d7fb985851d9c74060af7950cecef0
2c4bcab135bf1846684b598e66e3f51443f70f9e8d0544f3417774cbe907e8ef
2e226a0210a123ad828803eb871b74ecbdb702fc4babd9ff786231c486ff65e0
31db0841c3975be5395f13c894b7e444d150cc701487b756fff43ce78d98b1e6
36d4b4b018ec78a79f3c06dc30ec77c250307628a7631f6b5b5995e797d0674f
3772d473a2fe950959e1fd56c9a44ec48928f92522246f75f4b8cb134f4713ff
3986d54b00647b507b2afd708b7a1ce4c37027fb77d67c6bc3c20c3ac1a88ca4
3af6dfa4cebd82f48b6638a9757730810707d79d961dde1b72d3768e972e6184
4b5112f0fb64825b879b01d686e8f4d43521252a3b4f4026c9d1d76d3f15b281
4e5b85ea68bf8f2306b6b931810ae38c8dff3679d78da1af2c91032c36380353
528d432952ef879496542bc62a5a4b6eee788f60f220426bd7f933fa2c58dc6b
5a2c38be89ac878d28080a7465c4a3f8708fb414b811511b9d5ae61a47593a69
5e9ddb25bde3719c392d08c13a295db418d7accd25d82d020b425052e7ba6dc9
65920eaea00764a245acb58a3565941477b78a7bcc9efaec5bf811573084b6cf
662c53e69b66d62a4822e666031fd441bbdfa741e20d4511c6741ec3cb02475f
742a52084162d3789e196fb5ff6f8e2983147cd914088bd5f9ed363d7a5b0df0
80161dad1603b9a7c4a92a07b5c8bce214cf7a3df897b561732f9df7920ecb3e
8bfbb637fe72da5c9aee9857ca81fa54a5abe7f2d1b061bc2a376943c63727c7
903b6d948c16dc92b69fe1de76cf64ab8377893770bf47c29bf91f3fd987f996
90639c7423a329e304087428a01662cc06e2e9153299e37b1b1c90f6d0a195ed
93940b5e764f2f4a2d893bebef4bf1f7d63c4db856877020a5852a6647cb04a0
9c0a33a5dc62933f17506f20e0258f877947bdcd15b091a597eac05d299b7471
a787c0e42608f9a69f718f6dca5556607be45ec77d17b07eb9ea1e0f7bb2e064
bd0920c8836541f58e0778b4b64527e5a5f2084405f73ee33110f7bc189da7a9
c3c17383f43184a29f49f166a92453a34be18e51935ddbf09576a60441440e51
c4fbc723981fc94884f0f493cb8711fdc9da698980081d9b7c139fcffbe723da
c6437f57a8f290b5ec46b0933bfa8a328b0cb2c0c7fbeea7f21b770ce0250d3d
cffc694ace3e1547007ae00437536f2a88ba60179c51f23228e696fb02afdc86
d808f3109822c185f1d8e1bf7ef7781c219dc56f5906478651748f0ace489d34
d874f513a032ccb6a5e4f0cd55862b024ea0bee4de94ccf950b3dd894066065d
e2ec7fa60e654f5861e09bbe59d14d0973bd5727b83a2a03f1cecf1466dd87aa
f04cf9361cf46bff2f9d19617bba577ea5f3ad20ea76e1f7e159701e446364fc
f1de7b941817438da2a4b7284bc56c291db7312e3ba5e2397b3621811a816aa3
f3856c7af3c9f84101f41a82e36fc81dfc18a8e9b424a3658b6ba7e3c99f54f2
f5a64de9087b138608ccf036b067d91a47302259269fb05b3349964ca4060e7e

download

Tip: 48 related IOCs (0 IP, 7 domain, 0 URL, 0 email, 41 file hash) to this threat have been found.

FAQs

Understanding the OilRig Malware Campaign

: A threat group known as OilRig has been actively updating its malware toolset and expanding its attacks against various government and corporate targets across multiple countries.
: The group is believed to be linked to Iranian-based threat actors, known for cyber-espionage operations against Middle Eastern and Western organizations.
: The campaign aims to conduct espionage by compromising target systems, maintaining access, and exfiltrating sensitive data through stealthy methods like DNS-based command and control.
: Targets include government organizations and companies in Saudi Arabia, Qatar, Turkey, Israel, and the United States, indicating a focus on high-value geopolitical and strategic interests.
: Attackers used spear-phishing emails with malicious Excel documents containing embedded macros. Once executed, these documents deployed malware that communicates with remote servers via HTTP and DNS.
: The targeted entities likely possess sensitive political, economic, or military information valuable for strategic intelligence gathering.
: Organizations should enhance email security, monitor network traffic for suspicious activity, enforce macro restrictions, and keep security tools updated to detect known malware variants.
: This campaign is highly targeted, focusing on specific organizations of strategic interest, rather than being a broad, opportunistic attack.

About Affiliation

OilRig

Associate threats