Prolific Iranian superior persistent risk group (APT) OilRig has repeatedly focused a number of Israeli organizations all through 2022 in cyberattacks that have been notable for leveraging a sequence of customized downloaders that use authentic Microsoft cloud providers to conduct attacker communications and exfiltrate information.
OilRig (aka APT34, Helix Kitten, Cobalt Gypsym, Lyceum, Crambus or Siamesekitten) within the assaults deployed 4 particular new downloaders — SampleCheck5000 (SC5k v1-v3), ODAgent, OilCheck, and OilBooster — that have been developed within the final yr, including the instruments to the group’s already giant arsenal of customized malware, ESET researchers revealed in a weblog publish printed Dec. 14.
Distinctive to the way in which the downloaders work versus different OilRig instruments is that they use varied authentic cloud providers — together with Microsoft OneDrive, Microsoft Graph OneDrive API, Microsoft Graph Outlook API, and Microsoft Workplace EWS API — for command-and-control communications (C2) and information exfiltration, the researchers stated.
Assault targets thus far have included a healthcare group, a producing firm, an area governmental group, and several other different unidentified organizations, all in Israel and most of them earlier targets for the APT.
The downloaders themselves usually are not notably subtle, famous ESET researcher Zuzana Hromcová, who analyzed the malware together with ESET researcher Adam Burgher. Nonetheless, there are different causes that the group is evolving right into a formidable adversary for focused organizations, she stated.
“The continual growth and testing of latest variants, experimentation with varied cloud providers and completely different programming languages, and the dedication to re-compromise the identical targets again and again, make OilRig a gaggle to be careful for,” Hromcová stated in a press assertion.
OilRig has used these downloaders in opposition to solely a restricted variety of targets, all of whom have been persistently focused months earlier by different instruments employed by the group. The usage of downloaders leveraging cloud providers is an evasive tactic that permits the malware to mix extra simply into the common stream of community visitors — possible the rationale that the APT makes use of them in opposition to repeat victims, in accordance with ESET.
OilRig APT: An Evolving, Persistent Risk
OilRig is thought to have been lively since 2014, and primarily operates within the Center East, concentrating on organizations within the area spanning quite a lot of industries, together with however not restricted to chemical, power, monetary, and telecommunications.
The group, which primarily offers in cyber espionage, was most lately tied to a provide chain assault within the UAE, however that is simply considered one of many incidents to which it has been linked. The truth is, final yr, OilRig’s varied actions spurred the sanctioning of Iran’s intelligence arm — which is believed to sponsor OilRig — by the US authorities.
ESET recognized the APT because the perpetrator of the repeated assaults on Israeli organizations through the similarity between the downloaders and different OilRig instruments that use email-based C2 protocols — specifically, the MrPerfectionManager and PowerExchange backdoors.
OilRig seems to be a creature of behavior, repeating the identical assault sample on a number of events, the researchers famous. For instance, between June and August 2022, ESET detected the OilBooster, SC5k v1, and SC5k v2 downloaders and the Shark backdoor, all within the community of an area governmental group in Israel.
Later, ESET detected yet one more SC5k model (v3) within the community of an Israeli healthcare group, additionally a earlier OilRig sufferer. The APT additionally deployed ODAgent within the community of a producing firm in Israel, which beforehand was affected by each SC5k and OilCheck.
“OilRig is persistent in concentrating on the identical organizations, and decided to maintain its foothold in compromised networks,” the researchers warned.
ESET included a big record of indicators of compromise (IoC) within the weblog publish — together with recordsdata, community actions, and methods based mostly on the MITRE ATT&CK framework — to assist potential targets establish whether or not they may be compromised by the most recent string of assaults.
Inside OilRig’s Stealthy Backdoor Malware
All the downloaders are written in C++/.NET besides OilBooster, which is written in Microsoft Visible C/C++. All of them every have their very own separate performance and behave with some key variations.
Frequent between them is the usage of a shared electronic mail or cloud storage account to alternate messages with the OilRig operators that can be utilized in opposition to a number of victims. The downloaders entry this account to obtain instructions and extra payloads staged by the operators, in addition to to add command output and staged recordsdata.
SC5k, which has a number of variants, is the primary of the downloaders that appeared on the scene (as early as November 2021), utilizing authentic cloud providers. All the variants use the Microsoft Workplace EWS API to work together with a shared Alternate mail account as a method to obtain further payloads and instructions, in addition to to add information.
OilCheck, found in April 2022, additionally makes use of draft messages created in a shared electronic mail account for each instructions of C2 communication. Nonetheless, in contrast to SC5k, OilCheck makes use of the REST-Microsoft Graph API to entry a shared Microsoft 365 Outlook electronic mail account, not the SOAP-based Microsoft Workplace EWS API.
OilBooster additionally makes use of the Microsoft Graph API to hook up with a Microsoft 365 account, however in contrast to OilCheck, it makes use of this API to work together with a OneDrive account managed by the attackers for C2 communication and exfiltration somewhat than an Outlook account, the researchers stated. OilBooster’s capabilities embody downloading recordsdata from the distant server, executing recordsdata and shell instructions, and exfiltrating the outcomes.
ODAgent makes use of the Microsoft Graph API to entry an attacker-controlled OneDrive account for C2 communication and exfiltration and is believed to be a precursor of OilBooster, in accordance with the researchers.
“Much like OilBooster,” they wrote, “ODAgent repeatedly connects to the shared OneDrive account and lists the contents of the victim-specific folder to acquire further payloads and backdoor instructions.”