A known threat group, OilRig, sent phishing emails with malicious Excel files. If opened, these documents installed a custom backdoor called ALMA Communicator and a tool for stealing passwords.

Who was behind the attack?

The attackers are the OilRig group, which has a long history of targeting organizations in the Middle East, especially in sectors like energy and government.

What was the goal of this attack?

The main objectives were to establish ongoing remote access to victims’ systems, steal credentials, and exfiltrate sensitive data.

Evidence points to a public utilities company in the Middle East. This suggests a focus on critical infrastructure.

How did the attack work?

Attackers used an Excel document with hidden code. When victims enabled macros, the code built and ran additional malicious files. The backdoor communicated over DNS, making it harder to detect.

Why would attackers target public utilities?

Critical infrastructure often holds valuable data and plays a vital role in national security, making it attractive to state-sponsored attackers.

What should organizations do to protect themselves?

Organizations should block suspicious email attachments, disable macros, monitor DNS traffic, and deploy tools that detect known malicious behaviors like scheduled tasks and credential theft.

Is this attack widespread?

This appears to be a targeted operation rather than a broad campaign, focusing on specific organizations in the Middle East. However, the techniques could be reused against other sectors.

Threats Feed|OilRig|Last Updated 30/06/2025|AuthorCertfa Radar|Publish Date08/11/2017

OilRig Threat Group Introduces ALMA Communicator in Spear-Phishing Attacks

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Downloader,Dropper,Malicious Macro,Trojan,Spear Phishing
Attack Complexity: Medium
Threat Risk: Low Impact/Low Probability

Threat Overview

The OilRig threat group has been utilizing a refined version of the Clayslide delivery document for spear-phishing attacks since May 2016. Recently, they have developed a new custom Trojan named "ALMA Communicator", and incorporated the use of Mimikatz for credential harvesting in the delivery phase of the attack. The targets included an individual at a public utilities company in the Middle East. ALMA Communicator uses DNS tunneling for C2 communication and has some data transfer limitations, which may have prompted the early deployment of Mimikatz.

Reference and Credit: Palo Alto Networks - November 2017

OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan

Detected Targets

Type	Description	Confidence
Sector	Utilities The attack targeted an individual at a public utilities company in the Middle East.	Verified

Extracted IOCs

prosalar[.]com
2d6f06d8ee0da16d2335f26eb18cd1f620c4db3e880efa6a5999eff53b12415c
2fc7810a316863a5a5076bf3078ac6fad246bc8773a5fb835e0993609e5bb62e
f37b1bbf5a07759f10e0298b861b354cee13f325bc76fbddfaacd1ea7505e111

download

Tip: 4 related IOCs (0 IP, 1 domain, 0 URL, 0 email, 3 file hash) to this threat have been found.

FAQs

Understanding the OilRig ALMA Communicator Attack

: A known threat group, OilRig, sent phishing emails with malicious Excel files. If opened, these documents installed a custom backdoor called ALMA Communicator and a tool for stealing passwords.
: The attackers are the OilRig group, which has a long history of targeting organizations in the Middle East, especially in sectors like energy and government.
: The main objectives were to establish ongoing remote access to victims’ systems, steal credentials, and exfiltrate sensitive data.
: Evidence points to a public utilities company in the Middle East. This suggests a focus on critical infrastructure.
: Attackers used an Excel document with hidden code. When victims enabled macros, the code built and ran additional malicious files. The backdoor communicated over DNS, making it harder to detect.
: Critical infrastructure often holds valuable data and plays a vital role in national security, making it attractive to state-sponsored attackers.
: Organizations should block suspicious email attachments, disable macros, monitor DNS traffic, and deploy tools that detect known malicious behaviors like scheduled tasks and credential theft.
: This appears to be a targeted operation rather than a broad campaign, focusing on specific organizations in the Middle East. However, the techniques could be reused against other sectors.

About Affiliation

OilRig

Associate threats