Prolific Iranian advanced persistent threat group (APT) OilRig has repeatedly targeted several Israeli organizations throughout 2022 in cyberattacks that were notable for leveraging a series of custom downloaders that use legitimate Microsoft cloud services to conduct attacker communications and exfiltrate data.
OilRig (aka APT34, Helix Kitten, Cobalt Gypsym, Lyceum, Crambus or Siamesekitten) in the attacks deployed four specific new downloaders — SampleCheck5000 (SC5k v1-v3), ODAgent, OilCheck, and OilBooster — that were developed in the last year, adding the tools to the group’s already large arsenal of custom malware, ESET researchers revealed in a blog post published Dec. 14.
Unique to the way the downloaders work versus other OilRig tools is that they use various legitimate cloud services — including Microsoft OneDrive, Microsoft Graph OneDrive API, Microsoft Graph Outlook API, and Microsoft Office EWS API — for command-and-control communications (C2) and data exfiltration, the researchers said.
Attack targets so far have included a healthcare organization, a manufacturing company, a local governmental organization, and several other unidentified organizations, all in Israel and most of them previous targets for the APT.
The downloaders themselves are not particularly sophisticated, noted ESET researcher Zuzana Hromcová, who analyzed the malware along with ESET researcher Adam Burgher. However, there are other reasons that the group is evolving into a formidable adversary for targeted organizations, she said.
“The continuous development and testing of new variants, experimentation with various cloud services and different programming languages, and the dedication to re-compromise the same targets over and over again, make OilRig a group to watch out for,” Hromcová said in a press statement.
OilRig has used these downloaders against only a limited number of targets, all of whom were persistently targeted months earlier by other tools employed by the group. The use of downloaders leveraging cloud services is an evasive tactic that allows the malware to blend more easily into the regular stream of network traffic — likely the reason that the APT uses them against repeat victims, according to ESET.
OilRig APT: An Evolving, Persistent Threat
OilRig is known to have been active since 2014, and primarily operates in the Middle East, targeting organizations in the region spanning a variety of industries, including but not limited to chemical, energy, financial, and telecommunications.
The group, which primarily deals in cyber espionage, was most recently tied to a supply chain attack in the UAE, but that’s just one of many incidents to which it’s been linked. In fact, last year, OilRig’s various activities spurred the sanctioning of Iran’s intelligence arm — which is believed to sponsor OilRig — by the US government.
ESET identified the APT as the perpetrator of the repeated attacks on Israeli organizations via the similarity between the downloaders and other OilRig tools that use email-based C2 protocols — namely, the MrPerfectionManager and PowerExchange backdoors.
OilRig appears to be a creature of habit, repeating the same attack pattern on multiple occasions, the researchers noted. For example, between June and August 2022, ESET detected the OilBooster, SC5k v1, and SC5k v2 downloaders and the Shark backdoor, all in the network of a local governmental organization in Israel.
Later, ESET detected yet another SC5k version (v3) in the network of an Israeli healthcare organization, also a previous OilRig victim. The APT also deployed ODAgent in the network of a manufacturing company in Israel, which previously was affected by both SC5k and OilCheck.
“OilRig is persistent in targeting the same organizations, and determined to keep its foothold in compromised networks,” the researchers warned.
ESET included a large list of indicators of compromise (IoC) in the blog post — including files, network activities, and techniques based on the MITRE ATT&CK framework — to help potential targets identify whether they might be compromised by the latest string of attacks.
Inside OilRig’s Stealthy Backdoor Malware
All of the downloaders are written in C++/.NET except OilBooster, which is written in Microsoft Visual C/C++. They all each have their own separate functionality and behave with some key differences.
Common between them is the use of a shared email or cloud storage account to exchange messages with the OilRig operators that can be used against multiple victims. The downloaders access this account to download commands and additional payloads staged by the operators, as well as to upload command output and staged files.
SC5k, which has several variants, is the first of the downloaders that appeared on the scene (as early as November 2021), using legitimate cloud services. All of the variants use the Microsoft Office EWS API to interact with a shared Exchange mail account as a way to download additional payloads and commands, as well as to upload data.
OilCheck, discovered in April 2022, also uses draft messages created in a shared email account for both directions of C2 communication. However, unlike SC5k, OilCheck uses the REST-Microsoft Graph API to access a shared Microsoft 365 Outlook email account, not the SOAP-based Microsoft Office EWS API.
OilBooster also uses the Microsoft Graph API to connect to a Microsoft 365 account, but unlike OilCheck, it uses this API to interact with a OneDrive account controlled by the attackers for C2 communication and exfiltration rather than an Outlook account, the researchers said. OilBooster’s capabilities include downloading files from the remote server, executing files and shell commands, and exfiltrating the results.
ODAgent uses the Microsoft Graph API to access an attacker-controlled OneDrive account for C2 communication and exfiltration and is believed to be a precursor of OilBooster, according to the researchers.
“Similar to OilBooster,” they wrote, “ODAgent repeatedly connects to the shared OneDrive account and lists the contents of the victim-specific folder to obtain additional payloads and backdoor commands.”
Source: www.darkreading.com