Sc5k

Malware updated 4 months ago (2024-05-04T16:18:46.628Z)

Download STIX

Preview STIX

SC5k is a malware developed by OilRig, first discovered in November 2021 during the group's Outer Space campaign. This malicious software acts as a vehicle to deploy a downloader called SampleCheck5000 (SC5k), which utilizes the Office Exchange Web Services (EWS) API to download additional tools for execution and a utility named MKG to exfiltrate data from the Chrome web browser. Throughout 2022, OilRig actively developed and used a series of similar logic downloaders such as ODAgent, OilCheck, and OilBooster, along with newer versions of SC5k. The evolution of SC5k from version 1 to version 3 shows a natural progression, with each version introducing new functionalities. The initial versions, SC5k v1 and v2, used cmd.exe to execute commands on compromised hosts. However, the later versions, SC5k v3 and OilCheck, employed custom command interpreters for executing files and commands on the infected system. Notably, SC5k and OilCheck both exfiltrated data to shared Exchange and Outlook accounts, communicating via email drafts instead of sending actual messages. These downloaders show similarities with MrPerfectionManager and PowerExchange backdoors, other recent additions to OilRig’s toolset that use email-based C&C protocols. However, unlike these backdoors, SC5k, OilBooster, ODAgent, and OilCheck utilize attacker-controlled cloud service accounts rather than the victim's internal infrastructure. Based on these indicators, there is high confidence in attributing SC5k (v1-v3), ODAgent, OilCheck, and OilBooster downloaders to OilRig.

Description last updated: 2024-05-04T16:15:43.151Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Samplecheck5000	2	SampleCheck5000 (SC5k) is a malicious software, or malware, developed as a lightweight downloader by OilRig. This malware is notable for its use of legitimate cloud service APIs such as Microsoft Graph OneDrive, Outlook, and the Office Exchange Web Services (EWS) for command and control (C&C) commun

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Malware

Downloader

Outlook

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Shark	Unspecified	3	Shark is a malicious software (malware) developed and deployed by the cybercriminal group OilRig. In 2021, OilRig updated its DanBot backdoor and began deploying Shark, along with Milan and Marlin backdoors as mentioned in the T3 2021 issue of the ESET Threat Report. The malware was designed to expl

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
OilRig	Unspecified	3	OilRig is a well-known threat actor in the cybersecurity landscape, notorious for its sophisticated attacks on various targets, including Middle Eastern telecommunications organizations and Israel's critical infrastructure sector. This entity has been linked to several high-profile campaigns such as

Source Document References

Information about the Sc5k Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	OilRig: Never-seen C#/.NET Backdoor to Attack Wide Range of Industries
CERT-EU	a year ago	How this Israeli Backdoor written in C#/.NET can be used to hack into any company
DARKReading	9 months ago	Iran-Linked 'OilRig' Cyberattackers Target Israel's Critical Infrastructure, Over & Over
CERT-EU	a year ago	OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes
CERT-EU	a year ago	Iranian Nation-State Actor OilRig Targets Israeli Organizations
ESET	9 months ago	OilRig’s persistent attacks using cloud service-powered downloaders