OilRig

Threat Actor updated a month ago (2024-10-22T18:01:02.160Z)

Download STIX

Preview STIX

OilRig, also known as APT34, Earth Simnavaz, Evasive Serpens, and other names, is a well-known threat actor in the cybersecurity industry. This group has been particularly active in targeting entities in the Middle East, including critical infrastructure and telecommunications organizations. One of their notable techniques is the use of DNS tunneling for command and control (C2) communications, which has been employed in several prominent campaigns such as SUNBURST, DarkHydrus, xHunt, and Decoy Dog. This method allows them to communicate between infected hosts and their C2 servers covertly. On November 15, 2016, an actor related to the OilRig campaign began testing the ClaySlide delivery documents, marking a significant point in their operational timeline. Their activities have been closely monitored by cybersecurity firms like Trend Micro and Palo Alto Networks' Unit 42. In addition to DNS tunneling, OilRig has also utilized novel C2 channels with steganography, further enhancing their stealth capabilities and making detection more challenging for cybersecurity defenses. Recently, there has been a noted downturn in OilRig's activities, suggesting a possible strategic shift towards more noticeable, "louder" operations. Despite this, they continue to pose a significant threat, especially to targets within Israel's critical infrastructure sector. Alongside other notorious groups like North Korea's Kimsuky group and UNC1860, OilRig remains a key player in the landscape of cyber threats.

Description last updated: 2024-10-22T17:43:53.282Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT34 is a possible alias for OilRig. APT34, a threat actor suspected to be linked to Iran, has been operational since at least 2014 and is involved in long-term cyber espionage operations largely focused on reconnaissance efforts. The group targets a variety of sectors including financial, government, energy, chemical, and telecommunic	5
MuddyWater is a possible alias for OilRig. MuddyWater is a notable threat actor group that has been associated with various cyber-attacks, primarily targeting organizations in the Middle East, particularly Israeli entities, but also extending its activities to other nations including India, Jordan, Portugal, Turkey, and Azerbaijan. The group	3
Siamesekitten is a possible alias for OilRig. Siamesekitten, also known as OilRig, APT34, Lyceum, Crambus, is a cyberespionage group believed to be based in Iran. Active since at least 2014, the group has been implicated in various hacking activities with malicious intent. Siamesekitten's operations have been linked to numerous other threat gro	3
Crambus is a possible alias for OilRig. The Iranian Crambus espionage group, also known as OilRig, APT34, and other aliases, is a threat actor with extensive expertise in long-term cyber-espionage campaigns. In the most recent attack between February and September 2023, this group infiltrated an unnamed Middle Eastern government's network	3
SUNBURST is a possible alias for OilRig. Sunburst is a sophisticated malware that was detected in a major supply chain attack in December 2020. The Sunburst backdoor has been tied to Kazuar, another malicious software, due to code resemblance, indicating its high level of complexity. This malware infiltrates systems, often without the user	2
Lyceum is a possible alias for OilRig. Lyceum, also known as DEV-0133 and potentially linked to the OilRig group (aka APT34, Helix Kitten, Cobalt Gypsym, Crambus, or Siamesekitten), is a threat actor believed to be a Farsi-speaking entity active since 2018. It is suspected to be a subordinate element within Iran's Ministry of Intelligenc	2
COBALT GYPSY is a possible alias for OilRig. Cobalt Gypsy, also known as APT34, Helix Kitten, Hazel Sandstorm, and OilRig, is an Iranian advanced persistent threat operation that has been active since at least 2014. This threat actor has a history of targeting sectors such as telecommunications, government, defense, oil, and financial services	2
Helix Kitten is a possible alias for OilRig. Helix Kitten, also known as APT34, OilRig, Cobalt Gypsy, Hazel Sandstorm, and Crambus, is a threat actor believed to originate from Iran. The group has been tracked by various cybersecurity firms including FireEye, Symantec, and CrowdStrike, each using different names to identify the same entity. Th	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Malware

Backdoor

Phishing

Outlook

DNS

Windows

Ransomware

Tunneling

Microsoft

Downloader

Wiper

Exploit

Payload

Espionage

Iran

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Sc5k Malware is associated with OilRig. SC5k is a malware developed by OilRig, first discovered in November 2021 during the group's Outer Space campaign. This malicious software acts as a vehicle to deploy a downloader called SampleCheck5000 (SC5k), which utilizes the Office Exchange Web Services (EWS) API to download additional tools for	Unspecified	3
The Shark Malware is associated with OilRig. Shark is a malicious software (malware) deployed by the cyber threat group known as OilRig. In 2021, OilRig updated its DanBot backdoor and began deploying multiple new backdoors including Shark, Milan, and Marlin, as reported in the T3 2021 issue of the ESET Threat Report. This malware can infiltra	Unspecified	2
The Marlin Malware is associated with OilRig. Marlin is a type of malware, or malicious software, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Marlin can steal personal information, disrupt operations, or even hold data	Unspecified	2
The Samplecheck5000 Malware is associated with OilRig. SampleCheck5000 (SC5k) is a malicious software, or malware, developed as a lightweight downloader by OilRig. This malware is notable for its use of legitimate cloud service APIs such as Microsoft Graph OneDrive, Outlook, and the Office Exchange Web Services (EWS) for command and control (C&C) commun	Unspecified	2
The SideTwist Malware is associated with OilRig. SideTwist is a malware variant discovered and named by Check Point Research during an investigation into a campaign led by the Iranian threat group APT34 (also known as OilRig). This new backdoor variant was used against what appeared to be a Lebanese target. The SideTwist backdoor, identified via i	Unspecified	2
The DanBot Malware is associated with OilRig. DanBot is a malicious software (malware) written in C# using .NET Framework 2.0 that provides basic remote access capabilities. It was identified as part of the arsenal used by the cyber threat group, OilRig, and has been linked to other backdoors such as Solar, Shark, Milan, and Marlin. The malware	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Scarred Manticore Threat Actor is associated with OilRig. Scarred Manticore, also known as Storm-861, is a threat actor believed to be linked with Iran's Ministry of Intelligence and Security (MOIS). This group has been implicated in high-level espionage activities targeting organizations across the Middle East and beyond. The group's operations have been	Unspecified	5
The Turla Threat Actor is associated with OilRig. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (	Unspecified	3
The DarkHydrus Threat Actor is associated with OilRig. DarkHydrus, an Iranian threat group also known as Obscure Serpens, is a significant cybersecurity concern. Notable for its malicious activities, DarkHydrus has targeted government agencies and educational institutions in the Middle East since 2016, employing sophisticated techniques such as DNS tunn	is related to	2
The Elfin Threat Actor is associated with OilRig. Elfin, also known as APT33, Peach Sandstorm, HOLMIUM, MAGNALIUM, and REFINED KITTEN, is a threat actor group that has been active since at least 2013. This group has been associated with numerous cyber-espionage activities targeting various sectors including government, defense, satellite, oil, and	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The Samplecheck5000 Sc5k Vulnerability is associated with OilRig. SampleCheck5000 (SC5k) is a vulnerability in software design or implementation, used by the threat group OilRig, also known as APT34, Helix Kitten, Cobalt Gypsym, Lyceum, Crambus, or Siamesekitten. This group has been linked to potential Iranian threat actors and is notorious for its sophisticated c	Unspecified	2

Source Document References

Information about the OilRig Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Trend Micro	a month ago	Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East
Unit42	2 months ago	No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection
DARKReading	2 months ago	Meet UNC1860: Iran's Low-Key Access Broker for State Hackers
ESET	6 months ago	ESET APT Activity Report Q4 2023–Q1 2024
Unit42	6 months ago	Leveraging DNS Tunneling for Tracking and Scanning
DARKReading	6 months ago	'The Mask' Espionage Group Resurfaces After 10-Year Hiatus
Securelist	7 months ago	APT trends report Q1 2024 – Securelist
Fortinet	7 months ago	Key Findings from the 2H 2023 FortiGuard Labs Threat Report \| FortiGuard Labs
DARKReading	8 months ago	Saudi Arabia, UAE Top List of APT-Targeted Nations in the Middle East
CERT-EU	a year ago	New OilRig Downloaders Abusing Microsoft Cloud APIs for C&C Communications
DARKReading	a year ago	Iranian 'Seedworm' Cyber Spies Target African Telcos & ISPs
ESET	a year ago	OilRig’s persistent attacks using cloud service-powered downloaders
DARKReading	a year ago	Iran-Linked 'OilRig' Cyberattackers Target Israel's Critical Infrastructure, Over & Over
CERT-EU	a year ago	Cyber Security Week In Review: November 3, 2023
BankInfoSecurity	a year ago	Breach Roundup: Canada Bans WeChat and Kaspersky Apps
CERT-EU	a year ago	Iran's MuddyWater Group Targets Israelis with Fake Memo Spear-Phishing
DARKReading	a year ago	'Scarred Manticore' Unleashes the Most Advanced Iranian Cyber Espionage Yet
CERT-EU	a year ago	Iran's MuddyWater Targets Israel in New Spear-Phishing Cyber Campaign
CERT-EU	a year ago	Iran's Scarred Manticore Targets Middle East with LIONTAIL Malware
CERT-EU	a year ago	Iranian Cyber Espionage Group Targets Financial and Government Sectors in Middle East