Sc5k

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
SC5k is a malware developed by OilRig, first discovered in November 2021 during the group's Outer Space campaign. This malicious software acts as a vehicle to deploy a downloader called SampleCheck5000 (SC5k), which utilizes the Office Exchange Web Services (EWS) API to download additional tools for execution and a utility named MKG to exfiltrate data from the Chrome web browser. Throughout 2022, OilRig actively developed and used a series of similar logic downloaders such as ODAgent, OilCheck, and OilBooster, along with newer versions of SC5k. The evolution of SC5k from version 1 to version 3 shows a natural progression, with each version introducing new functionalities. The initial versions, SC5k v1 and v2, used cmd.exe to execute commands on compromised hosts. However, the later versions, SC5k v3 and OilCheck, employed custom command interpreters for executing files and commands on the infected system. Notably, SC5k and OilCheck both exfiltrated data to shared Exchange and Outlook accounts, communicating via email drafts instead of sending actual messages. These downloaders show similarities with MrPerfectionManager and PowerExchange backdoors, other recent additions to OilRig’s toolset that use email-based C&C protocols. However, unlike these backdoors, SC5k, OilBooster, ODAgent, and OilCheck utilize attacker-controlled cloud service accounts rather than the victim's internal infrastructure. Based on these indicators, there is high confidence in attributing SC5k (v1-v3), ODAgent, OilCheck, and OilBooster downloaders to OilRig.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Samplecheck5000
2
SampleCheck5000 (SC5k) is a malicious software, or malware, developed as a lightweight downloader by OilRig. This malware is notable for its use of legitimate cloud service APIs such as Microsoft Graph OneDrive, Outlook, and the Office Exchange Web Services (EWS) for command and control (C&C) commun
Milan
1
Milan is a type of malware that was part of an array of backdoors deployed by the cyber threat group OilRig in 2021. Other backdoors used by this group include Shark, DanBot, and Marlin. The Milan malware, like other backdoors used by OilRig, employs simple upload and download schemes for communicat
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Outlook
Malware
Downloader
Encryption
Microsoft
Chrome
Eset
Apt
Windows
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SharkUnspecified
3
Shark is a type of malware, or malicious software, that was deployed by the cyber group OilRig. In 2021, OilRig updated its DanBot backdoor and began deploying the Shark, Milan, and Marlin backdoors, as highlighted in the T3 2021 issue of the ESET Threat Report. This harmful program can infiltrate s
MarlinUnspecified
1
Marlin is a type of malware, or malicious software, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Marlin can steal personal information, disrupt operations, or even hold data
DanBotUnspecified
1
DanBot is a malicious software (malware) written in C# using .NET Framework 2.0 that provides basic remote access capabilities. It was identified as part of the arsenal used by the cyber threat group, OilRig, and has been linked to other backdoors such as Solar, Shark, Milan, and Marlin. The malware
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
OilRigUnspecified
3
OilRig is a well-known threat actor in the cybersecurity landscape, notorious for its sophisticated attacks on various targets, including Middle Eastern telecommunications organizations and Israel's critical infrastructure sector. This entity has been linked to several high-profile campaigns such as
LyceumUnspecified
1
Lyceum, also known as DEV-0133 and potentially linked to the OilRig group (aka APT34, Helix Kitten, Cobalt Gypsym, Crambus, or Siamesekitten), is a threat actor believed to be a Farsi-speaking entity active since 2018. It is suspected to be a subordinate element within Iran's Ministry of Intelligenc
CrambusUnspecified
1
The Iranian Crambus espionage group, also known as OilRig, APT34, and other aliases, is a threat actor with extensive expertise in long-term cyber-espionage campaigns. In the most recent attack between February and September 2023, this group infiltrated an unnamed Middle Eastern government's network
SiamesekittenUnspecified
1
Siamesekitten, also known as OilRig, APT34, Lyceum, or Crambus, is a threat actor group believed to be based in Iran. This cyberespionage entity has been active since at least 2014 and has targeted various organizations across the globe with malicious intent. The group is known for its sophisticated
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
OilboosterUnspecified
1
None
Source Document References
Information about the Sc5k Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
10 months ago
OilRig: Never-seen C#/.NET Backdoor to Attack Wide Range of Industries
CERT-EU
10 months ago
How this Israeli Backdoor written in C#/.NET can be used to hack into any company
DARKReading
7 months ago
Iran-Linked 'OilRig' Cyberattackers Target Israel's Critical Infrastructure, Over & Over
CERT-EU
10 months ago
OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes
CERT-EU
10 months ago
Iranian Nation-State Actor OilRig Targets Israeli Organizations
ESET
7 months ago
OilRig’s persistent attacks using cloud service-powered downloaders