OilRig Threat Group Introduces ALMA Communicator in Spear-Phishing Attacks
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Downloader,Dropper,Malicious Macro,Trojan,Spear Phishing
- Attack Complexity: Medium
- Threat Risk: Low Impact/Low Probability
Threat Overview
The OilRig threat group has been utilizing a refined version of the Clayslide delivery document for spear-phishing attacks since May 2016. Recently, they have developed a new custom Trojan named "ALMA Communicator", and incorporated the use of Mimikatz for credential harvesting in the delivery phase of the attack. The targets included an individual at a public utilities company in the Middle East. ALMA Communicator uses DNS tunneling for C2 communication and has some data transfer limitations, which may have prompted the early deployment of Mimikatz.
Detected Targets
Type | Description | Confidence |
---|---|---|
Sector | Utilities The attack targeted an individual at a public utilities company in the Middle East. | Verified |
Extracted IOCs
- prosalar[.]com
- 2d6f06d8ee0da16d2335f26eb18cd1f620c4db3e880efa6a5999eff53b12415c
- 2fc7810a316863a5a5076bf3078ac6fad246bc8773a5fb835e0993609e5bb62e
- f37b1bbf5a07759f10e0298b861b354cee13f325bc76fbddfaacd1ea7505e111
Tip: 4 related IOCs (0 IP, 1 domain, 0 URL, 0 email, 3 file hash) to this threat have been found.
FAQs
Understanding the OilRig ALMA Communicator Attack
A known threat group, OilRig, sent phishing emails with malicious Excel files. If opened, these documents installed a custom backdoor called ALMA Communicator and a tool for stealing passwords.
The attackers are the OilRig group, which has a long history of targeting organizations in the Middle East, especially in sectors like energy and government.
The main objectives were to establish ongoing remote access to victims’ systems, steal credentials, and exfiltrate sensitive data.
Evidence points to a public utilities company in the Middle East. This suggests a focus on critical infrastructure.
Attackers used an Excel document with hidden code. When victims enabled macros, the code built and ran additional malicious files. The backdoor communicated over DNS, making it harder to detect.
Critical infrastructure often holds valuable data and plays a vital role in national security, making it attractive to state-sponsored attackers.
Organizations should block suspicious email attachments, disable macros, monitor DNS traffic, and deploy tools that detect known malicious behaviors like scheduled tasks and credential theft.
This appears to be a targeted operation rather than a broad campaign, focusing on specific organizations in the Middle East. However, the techniques could be reused against other sectors.