OilRig

Threat Actor updated a month ago (2024-11-29T13:59:24.110Z)
Download STIX
Preview STIX
OilRig, also known as APT34, Earth Simnavaz, Evasive Serpens, and other names, is a well-known threat actor in the cybersecurity industry. This group has been particularly active in targeting entities in the Middle East, including critical infrastructure and telecommunications organizations. One of their notable techniques is the use of DNS tunneling for command and control (C2) communications, which has been employed in several prominent campaigns such as SUNBURST, DarkHydrus, xHunt, and Decoy Dog. This method allows them to communicate between infected hosts and their C2 servers covertly. On November 15, 2016, an actor related to the OilRig campaign began testing the ClaySlide delivery documents, marking a significant point in their operational timeline. Their activities have been closely monitored by cybersecurity firms like Trend Micro and Palo Alto Networks' Unit 42. In addition to DNS tunneling, OilRig has also utilized novel C2 channels with steganography, further enhancing their stealth capabilities and making detection more challenging for cybersecurity defenses. Recently, there has been a noted downturn in OilRig's activities, suggesting a possible strategic shift towards more noticeable, "louder" operations. Despite this, they continue to pose a significant threat, especially to targets within Israel's critical infrastructure sector. Alongside other notorious groups like North Korea's Kimsuky group and UNC1860, OilRig remains a key player in the landscape of cyber threats.
Description last updated: 2024-10-22T17:43:53.282Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT34 is a possible alias for OilRig. APT34, a threat actor suspected to be linked to Iran, has been operational since at least 2014 and is involved in long-term cyber espionage operations largely focused on reconnaissance efforts. The group targets a variety of sectors including financial, government, energy, chemical, and telecommunic
5
MuddyWater is a possible alias for OilRig. MuddyWater is an Advanced Persistent Threat (APT) actor that first surfaced in 2017, primarily targeting countries in the Middle East, Europe, and the USA. The group uses a range of techniques for its cyber-espionage activities, including PowerShell for execution, HTTP for C2 communications, and mal
3
Siamesekitten is a possible alias for OilRig. Siamesekitten, also known as OilRig, APT34, Lyceum, Crambus, is a cyberespionage group believed to be based in Iran. Active since at least 2014, the group has been implicated in various hacking activities with malicious intent. Siamesekitten's operations have been linked to numerous other threat gro
3
Crambus is a possible alias for OilRig. The Iranian Crambus espionage group, also known as OilRig, APT34, and other aliases, is a threat actor with extensive expertise in long-term cyber-espionage campaigns. In the most recent attack between February and September 2023, this group infiltrated an unnamed Middle Eastern government's network
3
SUNBURST is a possible alias for OilRig. Sunburst is a sophisticated malware that was detected in a major supply chain attack in December 2020. The Sunburst backdoor has been tied to Kazuar, another malicious software, due to code resemblance, indicating its high level of complexity. This malware infiltrates systems, often without the user
2
Lyceum is a possible alias for OilRig. Lyceum, also known as DEV-0133 and potentially linked to the OilRig group (aka APT34, Helix Kitten, Cobalt Gypsym, Crambus, or Siamesekitten), is a threat actor believed to be a Farsi-speaking entity active since 2018. It is suspected to be a subordinate element within Iran's Ministry of Intelligenc
2
COBALT GYPSY is a possible alias for OilRig. Cobalt Gypsy, also known as APT34, Helix Kitten, Hazel Sandstorm, and OilRig, is an Iranian advanced persistent threat operation that has been active since at least 2014. This threat actor has a history of targeting sectors such as telecommunications, government, defense, oil, and financial services
2
Helix Kitten is a possible alias for OilRig. Helix Kitten, also known as APT34, OilRig, Cobalt Gypsy, Hazel Sandstorm, and Crambus, is a threat actor believed to originate from Iran. The group has been tracked by various cybersecurity firms including FireEye, Symantec, and CrowdStrike, each using different names to identify the same entity. Th
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malware
Backdoor
Phishing
Outlook
DNS
Windows
Ransomware
Tunneling
Microsoft
Downloader
Wiper
Exploit
Payload
Espionage
Iran
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sc5k Malware is associated with OilRig. SC5k is a malware developed by OilRig, first discovered in November 2021 during the group's Outer Space campaign. This malicious software acts as a vehicle to deploy a downloader called SampleCheck5000 (SC5k), which utilizes the Office Exchange Web Services (EWS) API to download additional tools forUnspecified
3
The Shark Malware is associated with OilRig. Shark is a malicious software (malware) deployed by the cyber threat group known as OilRig. In 2021, OilRig updated its DanBot backdoor and began deploying multiple new backdoors including Shark, Milan, and Marlin, as reported in the T3 2021 issue of the ESET Threat Report. This malware can infiltraUnspecified
2
The Marlin Malware is associated with OilRig. Marlin is a type of malware, or malicious software, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Marlin can steal personal information, disrupt operations, or even hold dataUnspecified
2
The Samplecheck5000 Malware is associated with OilRig. SampleCheck5000 (SC5k) is a malicious software, or malware, developed as a lightweight downloader by OilRig. This malware is notable for its use of legitimate cloud service APIs such as Microsoft Graph OneDrive, Outlook, and the Office Exchange Web Services (EWS) for command and control (C&C) communUnspecified
2
The SideTwist Malware is associated with OilRig. SideTwist is a malware variant discovered and named by Check Point Research during an investigation into a campaign led by the Iranian threat group APT34 (also known as OilRig). This new backdoor variant was used against what appeared to be a Lebanese target. The SideTwist backdoor, identified via iUnspecified
2
The DanBot Malware is associated with OilRig. DanBot is a malicious software (malware) written in C# using .NET Framework 2.0 that provides basic remote access capabilities. It was identified as part of the arsenal used by the cyber threat group, OilRig, and has been linked to other backdoors such as Solar, Shark, Milan, and Marlin. The malwareUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Scarred Manticore Threat Actor is associated with OilRig. Scarred Manticore, also known as Storm-861, is a threat actor believed to be linked with Iran's Ministry of Intelligence and Security (MOIS). This group has been implicated in high-level espionage activities targeting organizations across the Middle East and beyond. The group's operations have been Unspecified
5
The Turla Threat Actor is associated with OilRig. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (Unspecified
3
The DarkHydrus Threat Actor is associated with OilRig. DarkHydrus, an Iranian threat group also known as Obscure Serpens, is a significant cybersecurity concern. Notable for its malicious activities, DarkHydrus has targeted government agencies and educational institutions in the Middle East since 2016, employing sophisticated techniques such as DNS tunnis related to
2
The Elfin Threat Actor is associated with OilRig. Elfin, also known as APT33, Peach Sandstorm, HOLMIUM, MAGNALIUM, and REFINED KITTEN, is a threat actor group that has been active since at least 2013. This group has been associated with numerous cyber-espionage activities targeting various sectors including government, defense, satellite, oil, and Unspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Samplecheck5000 Sc5k Vulnerability is associated with OilRig. SampleCheck5000 (SC5k) is a vulnerability in software design or implementation, used by the threat group OilRig, also known as APT34, Helix Kitten, Cobalt Gypsym, Lyceum, Crambus, or Siamesekitten. This group has been linked to potential Iranian threat actors and is notorious for its sophisticated cUnspecified
2
Source Document References
Information about the OilRig Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Trend Micro
2 months ago
Unit42
3 months ago
DARKReading
3 months ago
ESET
7 months ago
Unit42
7 months ago
DARKReading
8 months ago
Securelist
8 months ago
Fortinet
8 months ago
DARKReading
9 months ago
CERT-EU
a year ago
DARKReading
a year ago
ESET
a year ago
DARKReading
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago