Samplecheck5000 Sc5k

Vulnerability Profile Updated 3 months ago
Download STIX
Preview STIX
SampleCheck5000 (SC5k) is a vulnerability in software design or implementation, used by the threat group OilRig, also known as APT34, Helix Kitten, Cobalt Gypsym, Lyceum, Crambus, or Siamesekitten. This group has been linked to potential Iranian threat actors and is notorious for its sophisticated cyberattacks. In their most recent activities, they deployed four specific new downloaders, including SC5k v1-v3, ODAgent, OilCheck, and OilBooster. These lightweight downloaders are unique due to their use of legitimate cloud service APIs such as Microsoft Graph OneDrive, Outlook APIs, and the Microsoft Office Exchange Web Services (EWS) API for Command & Control (C&C) communication and data exfiltration. Post-compromise, OilRig uses a variety of tools, including the SampleCheck5000 (SC5k) downloader, browser-data dumpers, and Windows Credential Manager stealers. These tools enable the group to advance from Solar to Mango with backdoor-like implants, indicating an evolution in their attack techniques. The introduction of these new downloaders in the last year represents a significant addition to OilRig's already substantial arsenal of custom malware. This information was revealed by ESET researchers in a blog post published on December 14th. The deployment of these new downloaders, particularly SampleCheck5000 (SC5k), underscores the escalating threat posed by the OilRig group. It is crucial for organizations to understand these vulnerabilities and implement necessary security measures to mitigate potential risks associated with these advanced persistent threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Outlook
Malware
Downloader
Windows
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
OilRigUnspecified
2
OilRig is a well-known threat actor in the cybersecurity landscape, notorious for its sophisticated attacks on various targets, including Middle Eastern telecommunications organizations and Israel's critical infrastructure sector. This entity has been linked to several high-profile campaigns such as
LyceumUnspecified
1
Lyceum, also known as DEV-0133 and potentially linked to the OilRig group (aka APT34, Helix Kitten, Cobalt Gypsym, Crambus, or Siamesekitten), is a threat actor believed to be a Farsi-speaking entity active since 2018. It is suspected to be a subordinate element within Iran's Ministry of Intelligenc
SiamesekittenUnspecified
1
Siamesekitten, also known as OilRig, APT34, Lyceum, or Crambus, is a threat actor group believed to be based in Iran. This cyberespionage entity has been active since at least 2014 and has targeted various organizations across the globe with malicious intent. The group is known for its sophisticated
CrambusUnspecified
1
The Iranian Crambus espionage group, also known as OilRig, APT34, and other aliases, is a threat actor with extensive expertise in long-term cyber-espionage campaigns. In the most recent attack between February and September 2023, this group infiltrated an unnamed Middle Eastern government's network
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Samplecheck5000 Sc5k Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
10 months ago
OilRig: Never-seen C#/.NET Backdoor to Attack Wide Range of Industries
DARKReading
7 months ago
Iran-Linked 'OilRig' Cyberattackers Target Israel's Critical Infrastructure, Over & Over
ESET
7 months ago
OilRig’s persistent attacks using cloud service-powered downloaders