OilRig

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
OilRig is a well-known threat actor in the cybersecurity landscape, notorious for its sophisticated attacks on various targets, including Middle Eastern telecommunications organizations and Israel's critical infrastructure sector. This entity has been linked to several high-profile campaigns such as DarkHydrus, xHunt, SUNBURST, Decoy Dog, and notably, its eponymous OilRig campaign. These campaigns have employed advanced techniques like DNS tunneling for command and control (C2) communications, leveraging legitimate cloud services for their C&C communication, and incorporating novel C2 channels with steganography into their arsenal. The OilRig campaign began testing the ClaySlide delivery documents on November 15, 2016. As part of their modus operandi, OilRig operators use downloaders such as SampleCheck5000 (SC5k), OilBooster, ODAgent, and OilCheck that utilize attacker-controlled cloud service accounts rather than the victim’s internal infrastructure. These downloaders bear similarities with other backdoors in OilRig's toolkit like MrPerfectionManager and PowerExchange, which also use email-based C&C protocols. For instance, SC5k, a C#/.NET application, reports results to the OilRig operators by creating a new email message on the Exchange server and saving it as a draft, thus avoiding detection. Previous research indicates that IT service providers may have been used as pivot points to reach end-target clients in some OilRig APT activities. The group has been active alongside other prominent threat actors like Lazarus Group, Kimusky, APT28, APT29, and Andariel. Furthermore, OilRig has shown a propensity to return to previous victims, as evidenced by the detection of an SC5k version (v3) within an Israeli healthcare organization's network, a known past target of OilRig. This persistence underscores the importance of ongoing vigilance and advanced threat detection mechanisms in cybersecurity defense strategies.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT34
4
APT34, also known as OilRig, EUROPIUM, Hazel Sandstorm, and Crambus among other names, is a threat actor believed to be operating on behalf of the Iranian government. Operational since at least 2014, APT34 has been involved in long-term cyber espionage operations primarily focused on reconnaissance
MuddyWater
3
MuddyWater is a recognized threat actor in the cybersecurity landscape, known for its malicious activities and sophisticated hacking techniques. This group employs a range of tools and methods to execute their attacks, including the use of PowerShell for execution and HTTP for Command and Control (C
Siamesekitten
3
Siamesekitten, also known as OilRig, APT34, Lyceum, or Crambus, is a threat actor group believed to be based in Iran. This cyberespionage entity has been active since at least 2014 and has targeted various organizations across the globe with malicious intent. The group is known for its sophisticated
Crambus
3
The Iranian Crambus espionage group, also known as OilRig, APT34, and other aliases, is a threat actor with extensive expertise in long-term cyber-espionage campaigns. In the most recent attack between February and September 2023, this group infiltrated an unnamed Middle Eastern government's network
COBALT GYPSY
2
Cobalt Gypsy, also known as APT34, Helix Kitten, Hazel Sandstorm, and OilRig, is an Iranian advanced persistent threat operation that has been active since at least 2014. This threat actor has a history of targeting sectors such as telecommunications, government, defense, oil, and financial services
Helix Kitten
2
Helix Kitten, also known as APT34, OilRig, Cobalt Gypsy, Hazel Sandstorm, and Crambus, is a threat actor believed to originate from Iran. The group has been tracked by various cybersecurity firms including FireEye, Symantec, and CrowdStrike, each using different names to identify the same entity. Th
Lyceum
2
Lyceum, also known as DEV-0133 and potentially linked to the OilRig group (aka APT34, Helix Kitten, Cobalt Gypsym, Crambus, or Siamesekitten), is a threat actor believed to be a Farsi-speaking entity active since 2018. It is suspected to be a subordinate element within Iran's Ministry of Intelligenc
SUNBURST
2
Sunburst is a highly sophisticated malware that infiltrated the SolarWinds Orion platform, an event that came to light in late 2020. The malware was embedded into the system as early as January 2019, evading detection for almost two years. The campaign was attributed to Russia's Foreign Intelligence
Crumbus
1
None
Seedworm
1
Seedworm, also known as MuddyWater, TEMP.Zagros, Static Kitten, and several other monikers, is a threat actor believed to be linked with Iran's Ministry of Intelligence and Security (MOIS). This cyberespionage group has been active since 2017, targeting various sectors globally, including government
xHunt
1
The xHunt campaign is a series of related cyber activities with a unified goal, similar to other well-known campaigns such as DarkHydrus, OilRig, SUNBURST, and Decoy Dog. These campaigns are known for their use of DNS tunneling for command and control (C2) communications, a method which allows data
ISMInjector
1
ISMInjector is a type of malware, specifically a Trojan, known for injecting a Trojan into another process. It was used in a targeted attack on a Saudi Arabian technology company, delivering a variant of the ISMAgent backdoor as its payload. This attack was detailed in a blog by Palo Alto Networks,
Helminth
1
Helminth is a malicious software (malware) used by an adversary group, often referred to as OilRig, APT34, or IRN2, to target high-value companies and organizations worldwide. This malware infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once ins
Decoy Dog
1
Decoy Dog is a notorious malware that utilizes DNS tunneling for Command and Control (C2) operations, similar to well-known campaigns like DarkHydrus, OilRig, xHunt, and SUNBURST. This malware uses the underlying tunneling tool Pupy, which applies the character '9' as padding when encoding data. Fir
Menorah
1
The Menorah malware, a novel and malicious software, was discovered in October 2023 as part of a cyberespionage operation conducted by Iranian advanced persistent threat (APT) group, OilRig. Also known as APT34, Helix Kitten, Hazel Sandstorm, and Cobalt Gypsy, the group has been strengthening its cy
Hazel Sandstorm
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malware
Backdoor
Outlook
DNS
Phishing
Ransomware
Espionage
Microsoft
Windows
Downloader
Wiper
Iran
Exploit
Payload
PowerShell
Encrypt
Antivirus
Iis
Firefox
Chrome
Github
Cloudzy
Eset
Gbhackers
xHunt
Trojan
State Sponso...
Dropper
iranian
Spearphishing
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Sc5kUnspecified
3
SC5k is a malware developed by OilRig, first discovered in November 2021 during the group's Outer Space campaign. This malicious software acts as a vehicle to deploy a downloader called SampleCheck5000 (SC5k), which utilizes the Office Exchange Web Services (EWS) API to download additional tools for
SideTwistUnspecified
2
SideTwist is a malware variant discovered and named by Check Point Research during an investigation into a campaign led by the Iranian threat group APT34 (also known as OilRig). This new backdoor variant was used against what appeared to be a Lebanese target. The SideTwist backdoor, identified via i
DanBotUnspecified
2
DanBot is a malicious software (malware) written in C# using .NET Framework 2.0 that provides basic remote access capabilities. It was identified as part of the arsenal used by the cyber threat group, OilRig, and has been linked to other backdoors such as Solar, Shark, Milan, and Marlin. The malware
SharkUnspecified
2
Shark is a type of malware, or malicious software, that was deployed by the cyber group OilRig. In 2021, OilRig updated its DanBot backdoor and began deploying the Shark, Milan, and Marlin backdoors, as highlighted in the T3 2021 issue of the ESET Threat Report. This harmful program can infiltrate s
MarlinUnspecified
2
Marlin is a type of malware, or malicious software, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Marlin can steal personal information, disrupt operations, or even hold data
Samplecheck5000Unspecified
2
SampleCheck5000 (SC5k) is a malicious software, or malware, developed as a lightweight downloader by OilRig. This malware is notable for its use of legitimate cloud service APIs such as Microsoft Graph OneDrive, Outlook, and the Office Exchange Web Services (EWS) for command and control (C&C) commun
CreepySnailUnspecified
1
CreepySnail is a malware that can infect a computer or device through suspicious downloads, emails or websites, and steal personal information or disrupt operations. CreepySnail utilizes Base64-encoded parameters to transmit information from the victim to the threat actor. It also uses static URI pa
BONDUPDATERUnspecified
1
BondUpdater is a malware first discovered by FireEye in mid-November 2017, when APT34 targeted a Middle Eastern governmental organization. This PowerShell-based Trojan is associated with other malicious programs such as POWBAT and POWRUNER. BondUpdater contains basic backdoor functionality that allo
MechaFlounderUnspecified
1
MechaFlounder is a malicious software, or malware, believed to be used by the Chafer group as a secondary payload that is downloaded from a first-stage payload to execute post-exploitation activities on compromised hosts. The malware begins its operation by entering a continuous communication loop w
RogueRobinUnspecified
1
RogueRobin is a malicious software (malware) that was originally identified as a PowerShell-based payload associated with the DarkHydrus cybercriminal group. Our initial analysis unveiled its stealthy infiltration capabilities, often entering systems through suspicious downloads, emails, or websites
QUADAGENTUnspecified
1
In July 2018, a series of cyber-attacks orchestrated by the OilRig group targeted a Middle Eastern government agency, delivering a harmful tool known as QUADAGENT. This malware is a PowerShell backdoor attributed to the OilRig group by both ClearSky Cyber Security and FireEye. The attacks were execu
OopsIEUnspecified
1
OopsIE is a sophisticated malware variant that has been utilized in cyber-attack campaigns against various organizations, including government agencies. The Trojan initiates its execution by conducting a series of anti-VM and sandbox checks, aiming to evade detection by security systems. It further
RDATUnspecified
1
RDAT is a malicious software (malware) that has been under active development since 2017. It was first observed in the operations of OilRig, an advanced persistent threat group known for its attacks on Middle Eastern organizations. The malware was initially spotted when it was uploaded to a webshell
PS1Unspecified
1
PS1 is a form of malware, similar to a VBS file, designed to exploit and damage computers or devices. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data ho
MilanUnspecified
1
Milan is a type of malware that was part of an array of backdoors deployed by the cyber threat group OilRig in 2021. Other backdoors used by this group include Shark, DanBot, and Marlin. The Milan malware, like other backdoors used by OilRig, employs simple upload and download schemes for communicat
ZerocleareUnspecified
1
ZeroCleare is a type of malware, specifically a wiper, known for its destructive capabilities. It targets computer systems and networks, rendering them unusable by deleting critical files and data. This malicious software has been linked to several actors associated with Iran's Ministry of Intellige
ThreedollarsUnspecified
1
None
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Scarred ManticoreUnspecified
4
Scarred Manticore is a threat actor known for its malicious cyber activities, which have been observed in Albania in 2022 and Israel from 2023 to 2024. The group uses sophisticated techniques including a web shell-based version of the LIONTAIL shellcode loader and .NET payloads obfuscated similarly
TurlaUnspecified
3
Turla, also known as Pensive Ursa, is a notable threat actor group linked to Russia. This sophisticated hacking team has been active for several years and is known for its advanced persistent threat (APT) activities. Turla's operations are characterized by the use of complex malware and backdoor exp
DarkHydrusis related to
2
DarkHydrus is a notable threat actor known for executing malicious activities. The group has been associated with several well-known campaigns including DarkHydrus, OilRig, xHunt, SUNBURST, and Decoy Dog. These campaigns have leveraged DNS tunneling for Command and Control (C2) communications, a tec
ElfinUnspecified
2
Elfin, also known by various names including Curious Serpens, Peach Sandstorm, APT33, HOLMIUM, MAGNALIUM, and REFINED KITTEN, is a significant threat actor with a track record of malicious cyber activities dating back to at least 2013. The group has been particularly active from 2016 to 2019, target
Turla GroupUnspecified
1
The Turla group, also known as Pensive Ursa, Krypton, Secret Blizzard, Venomous Bear, or Uroburos, is a notable threat actor that has been linked to the Russian Federal Security Service (FSB). With a history dating back to 2004, this group operates in painstaking stages, first conducting reconnaissa
MoleratsUnspecified
1
Molerats, also known as Gaza Cybergang Group1, is a threat actor linked to Hamas that has been active for over a decade. This low-budget group has been tracked by researchers under various names including Molerats, Gaza Cybergang, Frankenstein, WIRTE, and Proofpoint’s TA402 designation. Among 16 Adv
BahamutUnspecified
1
Bahamut is a threat actor group known for its sophisticated cyber-espionage operations, targeting primarily South Asia. Meta's Adversarial Threat Report from the first quarter of 2023 identified Bahamut as one of three major groups involved in cyber espionage operations in the region, alongside Patc
HEXANEUnspecified
1
Hexane is a threat actor originating from the Middle East and Africa (MEA) region, involved in malicious cyber activities with the intent of espionage. The group has been active since at least 2019, showing similarities to other activity groups like MAGNALLIUM and CHRYSENE. Hexane primarily targets
POLONIUMUnspecified
1
Polonium is a threat actor group, believed to be based in Lebanon, that has been responsible for significant cyberattacks on Israel's operational technology (OT) and critical infrastructure. In December, Israel's National Cyber Directorate issued warnings that Polonium had targeted critical sectors
ChaferUnspecified
1
Chafer, also known as APT39 or Helix Kitten, is an Advanced Persistent Threat (APT) actor linked to Iran and has been actively tracked by cybersecurity firms such as Symantec and FireEye for over four years. Chafer's activities primarily involve utilizing open-source tools to target entities perceiv
APT33Unspecified
1
APT33, an Iran-linked threat actor, has been identified as a significant cyber threat to the Defense Industrial Base sector. The group is known for its sophisticated and malicious activities, which primarily involve executing actions with harmful intent. APT33, like other threat actors, could be a s
Charming KittenUnspecified
1
Charming Kitten, an Iranian Advanced Persistent Threat (APT) group also known as ITG18, Phosphorous, and TA453, is a notable threat actor in the cybersecurity landscape. The group has exhibited significant sophistication in its operations, leveraging advanced social engineering techniques to comprom
APT39Unspecified
1
APT39, attributed to Iran, is a global threat actor with a concentration of activities in the Middle East. The group primarily targets the telecommunications sector, alongside the travel industry, IT firms supporting these sectors, and the high-tech industry. They employ spearphishing attacks with m
Lazarus GroupUnspecified
1
The Lazarus Group, a threat actor attributed to North Korea, is renowned for its notorious cyber-exploitation activities. The group has been linked to various high-profile cyber-attacks, including the largest decentralized finance exploit in history, the Ronin exploit of March 2022. This attack led
KimsukyUnspecified
1
Kimsuky, a threat actor linked to North Korea, has been identified as the perpetrator behind a series of advanced persistent threat (APT) attacks. The group is known for its malicious activities, which typically involve cyber espionage and targeted attacks on high-profile entities. Recently, Kimsuky
Ballistic BobcatUnspecified
1
Ballistic Bobcat, also known as APT35, APT42, Charming Kitten, TA453, and Phosphorus, is a threat actor group believed to be aligned with Iran. The group has been active for several years, developing and deploying a series of backdoor exploits known as Sponsor (versions v1 through v4). Ballistic Bob
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Samplecheck5000 Sc5kUnspecified
2
SampleCheck5000 (SC5k) is a vulnerability in software design or implementation, used by the threat group OilRig, also known as APT34, Helix Kitten, Cobalt Gypsym, Lyceum, Crambus, or Siamesekitten. This group has been linked to potential Iranian threat actors and is notorious for its sophisticated c
CVE-2017-0199Unspecified
1
CVE-2017-0199 is a notable software vulnerability, specifically a flaw in the design or implementation of Microsoft Office's Object Linking and Embedding (OLE) feature. This vulnerability has been exploited over the years to spread various notorious malware families. In 2017, it was used to dissemin
Oilrig (Apt34Unspecified
1
None
OilboosterUnspecified
1
None
Source Document References
Information about the OilRig Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
ESET
2 months ago
ESET APT Activity Report Q4 2023–Q1 2024
Unit42
2 months ago
Leveraging DNS Tunneling for Tracking and Scanning
DARKReading
2 months ago
'The Mask' Espionage Group Resurfaces After 10-Year Hiatus
Securelist
2 months ago
APT trends report Q1 2024 – Securelist
Fortinet
2 months ago
Key Findings from the 2H 2023 FortiGuard Labs Threat Report | FortiGuard Labs
DARKReading
4 months ago
Saudi Arabia, UAE Top List of APT-Targeted Nations in the Middle East
CERT-EU
7 months ago
New OilRig Downloaders Abusing Microsoft Cloud APIs for C&C Communications
DARKReading
7 months ago
Iranian 'Seedworm' Cyber Spies Target African Telcos & ISPs
ESET
7 months ago
OilRig’s persistent attacks using cloud service-powered downloaders
DARKReading
7 months ago
Iran-Linked 'OilRig' Cyberattackers Target Israel's Critical Infrastructure, Over & Over
CERT-EU
8 months ago
Cyber Security Week In Review: November 3, 2023
BankInfoSecurity
8 months ago
Breach Roundup: Canada Bans WeChat and Kaspersky Apps
CERT-EU
8 months ago
Iran's MuddyWater Group Targets Israelis with Fake Memo Spear-Phishing
DARKReading
8 months ago
'Scarred Manticore' Unleashes the Most Advanced Iranian Cyber Espionage Yet
CERT-EU
8 months ago
Iran's MuddyWater Targets Israel in New Spear-Phishing Cyber Campaign
CERT-EU
8 months ago
Iran's Scarred Manticore Targets Middle East with LIONTAIL Malware
CERT-EU
8 months ago
Iranian Cyber Espionage Group Targets Financial and Government Sectors in Middle East
CERT-EU
8 months ago
From Albania to the Middle East: The Scarred Manticore is listening - Cyber Security Review
InfoSecurity-magazine
8 months ago
Scarred Manticore Targets Middle East With Advanced Malware
Checkpoint
8 months ago
From Albania to the Middle East: The Scarred Manticore is Listening - Check Point Research