BlackOasis

BlackOasis is a prominent threat actor known for its execution of actions with malicious intent, primarily through the use of zero-day exploits. The cybersecurity industry first became aware of BlackOasis' activities in May 2016 while investigating an Adobe Flash zero day. Notably, this group has repeatedly used various zero-days in the past, including CVE-2016-4117 in May 2016, CVE-2016-0984 in June 2015, and CVE-2015-5119 in June 2015. Furthermore, they were found to be using the Ole2Link zero-day exploit in the wild. Since the discovery of BlackOasis’ exploitation network, several dozen new attacks have been tracked with the aim of understanding their operations better. The group is believed to be a customer of Gamma Group and utilizes the popular 'lawful surveillance' kit FinSpy. BlackOasis's activities are primarily linked to cyber espionage, with a particular focus on targets connected to Saudi Arabia either economically, from a national security perspective, or due to established policy agreements. Analysis of the payload used in their attacks has allowed researchers to confidently link these activities to BlackOasis. Their espionage campaign includes non-traditional targets, indicating a reach beyond lawful surveillance boundaries. Kaspersky’s research notes that BlackOasis hacked into computers based in Saudi Arabia and other countries with ties to it, including Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Iran, Netherlands, Bahrain, United Kingdom, and Angola. In 2016, there was a heavy interest in Angola, specifically targeting entities suspected of ties to oil, money laundering, and other illicit activities. The group also showed interest in international activists and think tanks. An advanced persistent threat group, codenamed Neodymium by Microsoft, is closely associated with BlackOasis' operations. The discovery by Kaspersky marks at least the fifth zero-day exploit used by BlackOasis and exposed by security researchers since June 2015.