OilRig

OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]

ID: G0049
Associated Groups: COBALT GYPSY, IRN2, HELIX KITTEN, APT34
Contributors: Robert Falcone; Bryan Lee
Version: 3.0
Created: 14 December 2017
Last Modified: 21 April 2022

Associated Group Descriptions

Name Description
COBALT GYPSY

[8]

IRN2

[9]

HELIX KITTEN

[7][9]

APT34

This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity. [7] [6][10]

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

OilRig has run net user, net user /domain, net group "domain admins" /domain, and net group "Exchange Trusted Subsystem" /domain to get account listings on a victim.[3]

.002 Account Discovery: Domain Account

OilRig has run net user, net user /domain, net group "domain admins" /domain, and net group "Exchange Trusted Subsystem" /domain to get account listings on a victim.[3]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

OilRig has used HTTP for C2.[5][11][12]

.004 Application Layer Protocol: DNS

OilRig has used DNS for C2 including the publicly available requestbin.net tunneling service.[5][11][12][10]

Enterprise T1119 Automated Collection

OilRig has used automated collection.[5]

Enterprise T1110 Brute Force

OilRig has used brute force techniques to obtain credentials.[11]

Enterprise T1059 Command and Scripting Interpreter

OilRig has used various types of scripting for execution.[6][13][14][7][15]

.001 PowerShell

OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents.[6][16][9]

.003 Windows Command Shell

OilRig has used macros to deliver malware such as QUADAGENT and OopsIE.[6][13][14][7][15] OilRig has used batch scripts.[6][13][14][7][15]

.005 Visual Basic

OilRig has used VBSscipt macros for execution on compromised hosts.[10]

Enterprise T1555 Credentials from Password Stores

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[5][11][17][12]

.003 Credentials from Web Browsers

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[5][11][17][12] OilRig has also used tool named PICKPOCKET to dump passwords from web browsers.[12]

.004 Windows Credential Manager

OilRig has used credential dumping tool named VALUEVAULT to steal credentials from the Windows Credential Manager.[12]

Enterprise T1140 Deobfuscate/Decode Files or Information

A OilRig macro has run a PowerShell command to decode file contents. OilRig has also used certutil to decode base64-encoded files on victims.[6][16][14][18]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

OilRig used the Plink utility and other tools to create tunnels to C2 servers.[11]

Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

OilRig has exfiltrated data over FTP separately from its primary C2 channel over DNS.[4]

Enterprise T1133 External Remote Services

OilRig uses remote services such as VPN, Citrix, or OWA to persist in an environment.[11]

Enterprise T1008 Fallback Channels

OilRig malware ISMAgent falls back to its DNS tunneling mechanism if it is unable to reach the C2 server over HTTP.[13]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

OilRig has deleted files associated with their payload after execution.[6][14]

Enterprise T1105 Ingress Tool Transfer

OilRig can download remote files onto victims.[6]

Enterprise T1056 .001 Input Capture: Keylogging

OilRig has used keylogging tools called KEYPUNCH and LONGWATCH.[11][12]

Enterprise T1036 Masquerading

OilRig has used .doc file extensions to mask malicious executables.[10]

Enterprise T1046 Network Service Discovery

OilRig has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning.[11]

Enterprise T1027 Obfuscated Files or Information

OilRig has encrypted and encoded data in its malware, including by using base64.[6][7][5][9][15]

.005 Indicator Removal from Tools

OilRig has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion.[1][15]

Enterprise T1137 .004 Office Application Startup: Outlook Home Page

OilRig has abused the Outlook Home Page feature for persistence. OilRig has also used CVE-2017-11774 to roll back the initial patch designed to protect against Home Page abuse.[19]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

OilRig has used credential dumping tools such as Mimikatz to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[5][11][17][12]

.004 OS Credential Dumping: LSA Secrets

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[5][11][17][12]

.005 OS Credential Dumping: Cached Domain Credentials

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[5][11][17][12]

Enterprise T1201 Password Policy Discovery

OilRig has used net.exe in a script with net accounts /domain to find the password policy of a domain.[20]

Enterprise T1120 Peripheral Device Discovery

OilRig has used tools to identify if a mouse is connected to a targeted system.[10]

Enterprise T1069 .001 Permission Groups Discovery: Local Groups

OilRig has used net localgroup administrators to find local administrators on compromised systems.[3]

.002 Permission Groups Discovery: Domain Groups

OilRig has used net group /domain, net group "domain admins" /domain, and net group "Exchange Trusted Subsystem" /domain to find domain group permission settings.[3]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

OilRig has sent spearphising emails with malicious attachments to potential victims using compromised and/or spoofed email accounts.[14][7][9]

.002 Phishing: Spearphishing Link

OilRig has sent spearphising emails with malicious links to potential victims.[14]

.003 Phishing: Spearphishing via Service

OilRig has used LinkedIn to send spearphishing links.[12]

Enterprise T1057 Process Discovery

OilRig has run tasklist on a victim's machine.[3]

Enterprise T1572 Protocol Tunneling

OilRig has used the Plink utility and other tools to create tunnels to C2 servers.[5][11][12]

Enterprise T1012 Query Registry

OilRig has used reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" on a victim to query the Registry.[3]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

OilRig has used Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment.[5][11][18]

.004 Remote Services: SSH

OilRig has used Putty to access compromised systems.[5]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

OilRig has created scheduled tasks that run a VBScript to execute a payload on victim machines.[14][7][12][10]

Enterprise T1113 Screen Capture

OilRig has a tool called CANDYKING to capture a screenshot of user's desktop.[11]

Enterprise T1505 .003 Server Software Component: Web Shell

OilRig has used web shells, often to maintain access to a victim network.[5][11][18]

Enterprise T1218 .001 System Binary Proxy Execution: Compiled HTML File

OilRig has used a CHM payload to load and execute another malicious file once delivered to a victim.[3]

Enterprise T1082 System Information Discovery

OilRig has run hostname and systeminfo on a victim.[3][4][12][10]

Enterprise T1016 System Network Configuration Discovery

OilRig has run ipconfig /all on a victim.[3][4]

Enterprise T1049 System Network Connections Discovery

OilRig has used netstat -an on a victim to get a listing of network connections.[3]

Enterprise T1033 System Owner/User Discovery

OilRig has run whoami on a victim.[3][4][10]

Enterprise T1007 System Service Discovery

OilRig has used sc query on a victim to gather information about services.[3]

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[5][11][17][12]

Enterprise T1204 .001 User Execution: Malicious Link

OilRig has delivered malicious links to achieve execution on the target system.[14][7][9]

.002 User Execution: Malicious File

OilRig has delivered macro-enabled documents that required targets to click the "enable content" button to execute the payload on the system.[14][7][9][10]

Enterprise T1078 Valid Accounts

OilRig has used compromised credentials to access other systems on a victim network.[5][11][18]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

OilRig has used macros to verify if a mouse is connected to a compromised machine.[10]

Enterprise T1047 Windows Management Instrumentation

OilRig has used WMI for execution.[11]

Software

ID Name References Techniques
S0360 BONDUPDATER [6] [21] Application Layer Protocol: DNS, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Dynamic Resolution: Domain Generation Algorithms, Hide Artifacts: Hidden Window, Ingress Tool Transfer, Scheduled Task/Job: Scheduled Task
S0160 certutil [6] Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Subvert Trust Controls: Install Root Certificate
S0095 ftp [4] Commonly Used Port, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, Lateral Tool Transfer
S0170 Helminth [3][11][9] Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Automated Collection, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Clipboard Data, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Data Encoding: Standard Encoding, Data Staged: Local Data Staging, Data Transfer Size Limits, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Obfuscated Files or Information, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Process Discovery, Scheduled Task/Job: Scheduled Task, Subvert Trust Controls: Code Signing
S0100 ipconfig [3] System Network Configuration Discovery
S0189 ISMInjector [16] Deobfuscate/Decode Files or Information, Obfuscated Files or Information, Process Injection: Process Hollowing, Scheduled Task/Job: Scheduled Task
S0349 LaZagne [17] Credentials from Password Stores: Keychain, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, Credentials from Password Stores, OS Credential Dumping: Cached Domain Credentials, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Proc Filesystem, OS Credential Dumping: LSA Secrets, OS Credential Dumping: /etc/passwd and /etc/shadow, Unsecured Credentials: Credentials In Files
S0002 Mimikatz [5][11][17] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSA Secrets, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0039 Net [3][6] Account Discovery: Domain Account, Account Discovery: Local Account, Create Account: Domain Account, Create Account: Local Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0104 netstat [3][6] System Network Connections Discovery
S0264 OopsIE [14] Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Archive Collected Data: Archive via Custom Method, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Visual Basic, Data Encoding: Standard Encoding, Data Staged: Local Data Staging, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Scheduled Task/Job: Scheduled Task, System Information Discovery, System Time Discovery, Virtualization/Sandbox Evasion: System Checks, Windows Management Instrumentation
S0184 POWRUNER [6] Account Discovery: Domain Account, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, File and Directory Discovery, Ingress Tool Transfer, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Process Discovery, Query Registry, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, Windows Management Instrumentation
S0029 PsExec [11] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0269 QUADAGENT [7] Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Visual Basic, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Fallback Channels, Indicator Removal on Host: File Deletion, Masquerading: Match Legitimate Name or Location, Modify Registry, Obfuscated Files or Information, Query Registry, Scheduled Task/Job: Scheduled Task, System Network Configuration Discovery, System Owner/User Discovery
S0495 RDAT [22] Application Layer Protocol: Web Protocols, Application Layer Protocol: Mail Protocols, Application Layer Protocol: DNS, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data Encoding: Non-Standard Encoding, Data Obfuscation, Data Obfuscation: Steganography, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Fallback Channels, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Masquerading: Masquerade Task or Service, Obfuscated Files or Information: Steganography, Screen Capture
S0075 Reg [3][6] Modify Registry, Query Registry, Unsecured Credentials: Credentials in Registry
S0258 RGDoor [23] Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Custom Method, Command and Scripting Interpreter: Windows Command Shell, Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Server Software Component: IIS Components, System Owner/User Discovery
S0185 SEASHARPEE [11] Command and Scripting Interpreter: Windows Command Shell, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Server Software Component: Web Shell
S0610 SideTwist [10] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Fallback Channels, File and Directory Discovery, Ingress Tool Transfer, Native API, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0096 Systeminfo [6] System Information Discovery
S0057 Tasklist [3][6] Process Discovery, Software Discovery: Security Software Discovery, System Service Discovery

References

  1. Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.
  2. ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.
  3. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  4. Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.
  5. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  6. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  7. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  8. Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021.
  9. Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.
  10. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
  11. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  12. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.