OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]
Name | Description |
---|---|
COBALT GYPSY | |
IRN2 | |
HELIX KITTEN | |
APT34 |
This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity. [7] [6][10] |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .001 | Account Discovery: Local Account |
OilRig has run |
.002 | Account Discovery: Domain Account |
OilRig has run |
||
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
.004 | Application Layer Protocol: DNS |
OilRig has used DNS for C2 including the publicly available |
||
Enterprise | T1119 | Automated Collection | ||
Enterprise | T1110 | Brute Force |
OilRig has used brute force techniques to obtain credentials.[11] |
|
Enterprise | T1059 | Command and Scripting Interpreter |
OilRig has used various types of scripting for execution.[6][13][14][7][15] |
|
.001 | PowerShell |
OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents.[6][16][9] |
||
.003 | Windows Command Shell |
OilRig has used macros to deliver malware such as QUADAGENT and OopsIE.[6][13][14][7][15] OilRig has used batch scripts.[6][13][14][7][15] |
||
.005 | Visual Basic |
OilRig has used VBSscipt macros for execution on compromised hosts.[10] |
||
Enterprise | T1555 | Credentials from Password Stores |
OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[5][11][17][12] |
|
.003 | Credentials from Web Browsers |
OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[5][11][17][12] OilRig has also used tool named PICKPOCKET to dump passwords from web browsers.[12] |
||
.004 | Windows Credential Manager |
OilRig has used credential dumping tool named VALUEVAULT to steal credentials from the Windows Credential Manager.[12] |
||
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
A OilRig macro has run a PowerShell command to decode file contents. OilRig has also used certutil to decode base64-encoded files on victims.[6][16][14][18] |
|
Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
OilRig used the Plink utility and other tools to create tunnels to C2 servers.[11] |
Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
OilRig has exfiltrated data over FTP separately from its primary C2 channel over DNS.[4] |
Enterprise | T1133 | External Remote Services |
OilRig uses remote services such as VPN, Citrix, or OWA to persist in an environment.[11] |
|
Enterprise | T1008 | Fallback Channels |
OilRig malware ISMAgent falls back to its DNS tunneling mechanism if it is unable to reach the C2 server over HTTP.[13] |
|
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
OilRig has deleted files associated with their payload after execution.[6][14] |
Enterprise | T1105 | Ingress Tool Transfer | ||
Enterprise | T1056 | .001 | Input Capture: Keylogging |
OilRig has used keylogging tools called KEYPUNCH and LONGWATCH.[11][12] |
Enterprise | T1036 | Masquerading |
OilRig has used .doc file extensions to mask malicious executables.[10] |
|
Enterprise | T1046 | Network Service Discovery |
OilRig has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning.[11] |
|
Enterprise | T1027 | Obfuscated Files or Information |
OilRig has encrypted and encoded data in its malware, including by using base64.[6][7][5][9][15] |
|
.005 | Indicator Removal from Tools |
OilRig has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion.[1][15] |
||
Enterprise | T1137 | .004 | Office Application Startup: Outlook Home Page |
OilRig has abused the Outlook Home Page feature for persistence. OilRig has also used CVE-2017-11774 to roll back the initial patch designed to protect against Home Page abuse.[19] |
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
OilRig has used credential dumping tools such as Mimikatz to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[5][11][17][12] |
.004 | OS Credential Dumping: LSA Secrets |
OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[5][11][17][12] |
||
.005 | OS Credential Dumping: Cached Domain Credentials |
OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[5][11][17][12] |
||
Enterprise | T1201 | Password Policy Discovery |
OilRig has used net.exe in a script with |
|
Enterprise | T1120 | Peripheral Device Discovery |
OilRig has used tools to identify if a mouse is connected to a targeted system.[10] |
|
Enterprise | T1069 | .001 | Permission Groups Discovery: Local Groups |
OilRig has used |
.002 | Permission Groups Discovery: Domain Groups |
OilRig has used |
||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
OilRig has sent spearphising emails with malicious attachments to potential victims using compromised and/or spoofed email accounts.[14][7][9] |
.002 | Phishing: Spearphishing Link |
OilRig has sent spearphising emails with malicious links to potential victims.[14] |
||
.003 | Phishing: Spearphishing via Service | |||
Enterprise | T1057 | Process Discovery | ||
Enterprise | T1572 | Protocol Tunneling |
OilRig has used the Plink utility and other tools to create tunnels to C2 servers.[5][11][12] |
|
Enterprise | T1012 | Query Registry |
OilRig has used |
|
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
OilRig has used Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment.[5][11][18] |
.004 | Remote Services: SSH | |||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
OilRig has created scheduled tasks that run a VBScript to execute a payload on victim machines.[14][7][12][10] |
Enterprise | T1113 | Screen Capture |
OilRig has a tool called CANDYKING to capture a screenshot of user's desktop.[11] |
|
Enterprise | T1505 | .003 | Server Software Component: Web Shell |
OilRig has used web shells, often to maintain access to a victim network.[5][11][18] |
Enterprise | T1218 | .001 | System Binary Proxy Execution: Compiled HTML File |
OilRig has used a CHM payload to load and execute another malicious file once delivered to a victim.[3] |
Enterprise | T1082 | System Information Discovery |
OilRig has run |
|
Enterprise | T1016 | System Network Configuration Discovery | ||
Enterprise | T1049 | System Network Connections Discovery |
OilRig has used |
|
Enterprise | T1033 | System Owner/User Discovery | ||
Enterprise | T1007 | System Service Discovery |
OilRig has used |
|
Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[5][11][17][12] |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
OilRig has delivered malicious links to achieve execution on the target system.[14][7][9] |
.002 | User Execution: Malicious File |
OilRig has delivered macro-enabled documents that required targets to click the "enable content" button to execute the payload on the system.[14][7][9][10] |
||
Enterprise | T1078 | Valid Accounts |
OilRig has used compromised credentials to access other systems on a victim network.[5][11][18] |
|
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
OilRig has used macros to verify if a mouse is connected to a compromised machine.[10] |
Enterprise | T1047 | Windows Management Instrumentation |