OilRig

Threat Actor updated 4 months ago (2024-05-13T16:17:31.481Z)

Download STIX

Preview STIX

OilRig is a well-known threat actor in the cybersecurity landscape, notorious for its sophisticated attacks on various targets, including Middle Eastern telecommunications organizations and Israel's critical infrastructure sector. This entity has been linked to several high-profile campaigns such as DarkHydrus, xHunt, SUNBURST, Decoy Dog, and notably, its eponymous OilRig campaign. These campaigns have employed advanced techniques like DNS tunneling for command and control (C2) communications, leveraging legitimate cloud services for their C&C communication, and incorporating novel C2 channels with steganography into their arsenal. The OilRig campaign began testing the ClaySlide delivery documents on November 15, 2016. As part of their modus operandi, OilRig operators use downloaders such as SampleCheck5000 (SC5k), OilBooster, ODAgent, and OilCheck that utilize attacker-controlled cloud service accounts rather than the victim’s internal infrastructure. These downloaders bear similarities with other backdoors in OilRig's toolkit like MrPerfectionManager and PowerExchange, which also use email-based C&C protocols. For instance, SC5k, a C#/.NET application, reports results to the OilRig operators by creating a new email message on the Exchange server and saving it as a draft, thus avoiding detection. Previous research indicates that IT service providers may have been used as pivot points to reach end-target clients in some OilRig APT activities. The group has been active alongside other prominent threat actors like Lazarus Group, Kimusky, APT28, APT29, and Andariel. Furthermore, OilRig has shown a propensity to return to previous victims, as evidenced by the detection of an SC5k version (v3) within an Israeli healthcare organization's network, a known past target of OilRig. This persistence underscores the importance of ongoing vigilance and advanced threat detection mechanisms in cybersecurity defense strategies.

Description last updated: 2024-05-13T15:19:07.675Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
APT34	4	APT34, also known as OilRig, EUROPIUM, Hazel Sandstorm, and Crambus among other names, is a threat actor believed to be operating on behalf of the Iranian government. Operational since at least 2014, APT34 has been involved in long-term cyber espionage operations primarily focused on reconnaissance
MuddyWater	3	MuddyWater is a notable threat actor group that has been associated with various cyber-attacks, primarily targeting organizations in the Middle East, particularly Israeli entities, but also extending its activities to other nations including India, Jordan, Portugal, Turkey, and Azerbaijan. The group
Siamesekitten	3	Siamesekitten, also known as OilRig, APT34, Lyceum, or Crambus, is a threat actor group believed to be based in Iran. This cyberespionage entity has been active since at least 2014 and has targeted various organizations across the globe with malicious intent. The group is known for its sophisticated
Crambus	3	The Iranian Crambus espionage group, also known as OilRig, APT34, and other aliases, is a threat actor with extensive expertise in long-term cyber-espionage campaigns. In the most recent attack between February and September 2023, this group infiltrated an unnamed Middle Eastern government's network
SUNBURST	2	Sunburst is a sophisticated malware that has been linked to the Kazuar code, indicating its complexity. It was used in several well-known cyber attack campaigns such as SUNBURST, OilRig, xHunt, DarkHydrus, and Decoy Dog, which employed DNS tunneling techniques for command and control (C2) communicat
Lyceum	2	Lyceum, also known as DEV-0133 and potentially linked to the OilRig group (aka APT34, Helix Kitten, Cobalt Gypsym, Crambus, or Siamesekitten), is a threat actor believed to be a Farsi-speaking entity active since 2018. It is suspected to be a subordinate element within Iran's Ministry of Intelligenc
COBALT GYPSY	2	Cobalt Gypsy, also known as APT34, Helix Kitten, Hazel Sandstorm, and OilRig, is an Iranian advanced persistent threat operation that has been active since at least 2014. This threat actor has a history of targeting sectors such as telecommunications, government, defense, oil, and financial services
Helix Kitten	2	Helix Kitten, also known as APT34, OilRig, Cobalt Gypsy, Hazel Sandstorm, and Crambus, is a threat actor believed to originate from Iran. The group has been tracked by various cybersecurity firms including FireEye, Symantec, and CrowdStrike, each using different names to identify the same entity. Th

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Malware

Backdoor

Outlook

DNS

Phishing

Windows

Ransomware

Tunneling

Microsoft

Downloader

Wiper

Exploit

Payload

Espionage

Iran

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Sc5k	Unspecified	3	SC5k is a malware developed by OilRig, first discovered in November 2021 during the group's Outer Space campaign. This malicious software acts as a vehicle to deploy a downloader called SampleCheck5000 (SC5k), which utilizes the Office Exchange Web Services (EWS) API to download additional tools for
Shark	Unspecified	2	Shark is a malicious software (malware) developed and deployed by the cybercriminal group OilRig. In 2021, OilRig updated its DanBot backdoor and began deploying Shark, along with Milan and Marlin backdoors as mentioned in the T3 2021 issue of the ESET Threat Report. The malware was designed to expl
Marlin	Unspecified	2	Marlin is a type of malware, or malicious software, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Marlin can steal personal information, disrupt operations, or even hold data
Samplecheck5000	Unspecified	2	SampleCheck5000 (SC5k) is a malicious software, or malware, developed as a lightweight downloader by OilRig. This malware is notable for its use of legitimate cloud service APIs such as Microsoft Graph OneDrive, Outlook, and the Office Exchange Web Services (EWS) for command and control (C&C) commun
SideTwist	Unspecified	2	SideTwist is a malware variant discovered and named by Check Point Research during an investigation into a campaign led by the Iranian threat group APT34 (also known as OilRig). This new backdoor variant was used against what appeared to be a Lebanese target. The SideTwist backdoor, identified via i
DanBot	Unspecified	2	DanBot is a malicious software (malware) written in C# using .NET Framework 2.0 that provides basic remote access capabilities. It was identified as part of the arsenal used by the cyber threat group, OilRig, and has been linked to other backdoors such as Solar, Shark, Milan, and Marlin. The malware

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Scarred Manticore	Unspecified	4	Scarred Manticore is a threat actor known for its malicious cyber activities, which have been observed in Albania in 2022 and Israel from 2023 to 2024. The group uses sophisticated techniques including a web shell-based version of the LIONTAIL shellcode loader and .NET payloads obfuscated similarly
Turla	Unspecified	3	Turla, a threat actor linked to Russia, is known for its sophisticated cyber-espionage activities. It has been associated with numerous high-profile attacks, employing innovative techniques and malware to infiltrate targets and execute actions with malicious intent. According to MITRE ATT&CK and MIT
DarkHydrus	is related to	2	DarkHydrus is a notable threat actor known for executing malicious activities. The group has been associated with several well-known campaigns including DarkHydrus, OilRig, xHunt, SUNBURST, and Decoy Dog. These campaigns have leveraged DNS tunneling for Command and Control (C2) communications, a tec
Elfin	Unspecified	2	Elfin, also known as APT33, Peach Sandstorm, HOLMIUM, MAGNALIUM, and REFINED KITTEN, is a threat actor group that has been active since at least 2013. This group has been associated with numerous cyber-espionage activities targeting various sectors including government, defense, satellite, oil, and

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

ID	Type	Votes	Profile Description
Samplecheck5000 Sc5k	Unspecified	2	SampleCheck5000 (SC5k) is a vulnerability in software design or implementation, used by the threat group OilRig, also known as APT34, Helix Kitten, Cobalt Gypsym, Lyceum, Crambus, or Siamesekitten. This group has been linked to potential Iranian threat actors and is notorious for its sophisticated c

Source Document References

Information about the OilRig Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
ESET	4 months ago	ESET APT Activity Report Q4 2023–Q1 2024
Unit42	4 months ago	Leveraging DNS Tunneling for Tracking and Scanning
DARKReading	4 months ago	'The Mask' Espionage Group Resurfaces After 10-Year Hiatus
Securelist	4 months ago	APT trends report Q1 2024 – Securelist
Fortinet	4 months ago	Key Findings from the 2H 2023 FortiGuard Labs Threat Report \| FortiGuard Labs
DARKReading	5 months ago	Saudi Arabia, UAE Top List of APT-Targeted Nations in the Middle East
CERT-EU	9 months ago	New OilRig Downloaders Abusing Microsoft Cloud APIs for C&C Communications
DARKReading	9 months ago	Iranian 'Seedworm' Cyber Spies Target African Telcos & ISPs
ESET	9 months ago	OilRig’s persistent attacks using cloud service-powered downloaders
DARKReading	9 months ago	Iran-Linked 'OilRig' Cyberattackers Target Israel's Critical Infrastructure, Over & Over
CERT-EU	10 months ago	Cyber Security Week In Review: November 3, 2023
BankInfoSecurity	10 months ago	Breach Roundup: Canada Bans WeChat and Kaspersky Apps
CERT-EU	10 months ago	Iran's MuddyWater Group Targets Israelis with Fake Memo Spear-Phishing
DARKReading	10 months ago	'Scarred Manticore' Unleashes the Most Advanced Iranian Cyber Espionage Yet
CERT-EU	10 months ago	Iran's MuddyWater Targets Israel in New Spear-Phishing Cyber Campaign
CERT-EU	10 months ago	Iran's Scarred Manticore Targets Middle East with LIONTAIL Malware
CERT-EU	10 months ago	Iranian Cyber Espionage Group Targets Financial and Government Sectors in Middle East
CERT-EU	10 months ago	From Albania to the Middle East: The Scarred Manticore is listening - Cyber Security Review
InfoSecurity-magazine	10 months ago	Scarred Manticore Targets Middle East With Advanced Malware
Checkpoint	10 months ago	From Albania to the Middle East: The Scarred Manticore is Listening - Check Point Research