The Iranian state-sponsored threat actor known as OilRig deployed three different downloader malware throughout 2022 to maintain continuous access to victim organizations located in Israel.
The three new downloaders are named ODAgent, OilCheck, and OilBooster by Slovak cybersecurity company ESET. The attacks also included the use of an updated version of a known OilRig downloader called SampleCheck5000 (or SC5k).
“These lightweight downloaders (…) are unique in using one of the many legitimate cloud service APIs for (command-and-control) communication and data exfiltration: the Microsoft Graph OneDrive or Outlook API, and the Microsoft Office Exchange Web Services (EWS). ) API,” security researchers Zuzana Hromcová and Adam Burgher SAYS in a report shared by The Hacker News.
By using well-known cloud service providers for command-and-control communication, the goal is to mix real network traffic and cover the group’s attack infrastructure.
Some of the campaign targets include an organization in the health care sector, a manufacturing company, and a local government organization, among others. All the victims are said to have been targeted by the threatening actor.
Cook AI-Powered Threats with Zero Trust – Webinar for Security Professionals
Traditional security measures just won’t cut it in today’s world. It’s time for Zero Trust Security. Secure your data like never before.
The exact initial access vector used to compromise the targets is currently unclear and it is unknown if the attackers were able to maintain their foothold in the networks to deploy these downloaders to others. -different time points in 2022.
OilRig, also known as APT34, Crambus, Cobalt Gypsy, Hazel Sandstorm (formerly EUROPIUM), and Helix Kitten, is an Iranian cyber espionage group known to be active since 2014, using a wide range of malware available to target. entity in the Middle East.
This year alone, hacking crews have been observed using novel malware such as MrPerfectionManager, PowerExchange, Solar, Mango, and Menorah.
ODAgent, first spotted in February 2022, is a C#/.NET downloader that uses the Microsoft OneDrive API for command-and-control (C2) communications, allowing a threat actor to download and execute payloads, and exfiltrate staged files.
The SampleCheck5000, on the other hand, is designed to interact with a shared Microsoft Exchange mail account to download and execute additional OilRig tools using the Office Exchange Web Services (EWS) API.
OilBooster, in the same way as ODAgent, uses the Microsoft OneDrive API for C2, while OilCheck adopts the same method as SampleCheck5000 to get the commands included in the draft messages. But instead of using the EWS API, it uses the Microsoft Graph API for network communications.
OilBooster is also similar to OilCheck in that it uses the Microsoft Graph API to connect to a Microsoft Office 365 account. What is different this time is that the API is used to interact with a OneDrive account that is controlled by the actor as opposed to to an Outlook account to extract commands and payloads from victim-specific folders.
These tools also share similarities with MrPerfectionManager and PowerExchange backdoors when it comes to using C2 email-based protocols to exfiltrate data, although in the case of the latter, the victimized organization’s Exchange Server is used to send messages to the attacker’s email account.
“In all cases, downloaders use a shared (email or cloud storage) operated OilRig account to exchange messages with OilRig operators; the same account is often shared by multiple victims ,” the researchers explained.
“Downloaders access this account to download commands and additional payloads created by operators, and to upload command output and staged files.”