OilRig

OilRig is an Iranian state-sponsored cyber espionage threat actor. Known aliases in the provided content include APT34, Cobalt Gypsy, Crambus, Earth Simnavaz, Europium, Evasive Serpens, Hazel Sandstorm, Helix Kitten, IRN2, ITG13, and TA452. The group has targeted Middle Eastern and international organizations, and more specifically organizations in Israel including healthcare, manufacturing, and local government entities. The content also identifies APT34/OilRig as one of the highest-impact state-sponsored risk vectors in the Middle East. The group uses a broad mix of scripting and native tooling for execution and post-compromise activity. Reported behaviors include use of macros to deliver malware such as QUADAGENT and OopsIE, batch scripts, VBS scripts, PowerShell, and WMI. During Juicy Mix, OilRig used browser-data and credential-stealer tools to stage stolen files named Cupdate, Eupdate, and IUpdate in %TEMP%, and used a VBS script to send the Base64-encoded name of the compromised computer to command-and-control. OilRig has run tasklist, hostname, systeminfo, and ipconfig /all on victim systems, queried the registry key HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default, and used tools to identify whether a mouse was connected to a targeted system. For credential access, the content states OilRig used publicly available tools including LaZagne and Mimikatz, and used LaZagne to steal credentials from logged-in accounts, Outlook Web Access, and web browsers. It also used a tool named PICKPOCKET to dump passwords from browsers. For command-and-control and lateral access, OilRig used the PowerExchange utility and other tools to create tunnels to C2 servers, used Plink renamed as \ProgramData\Adobe.exe, and used Remote Desktop Protocol for lateral movement, including tunneling RDP into victim environments. The group has also used PowerShell to upload files from compromised systems and deleted payload-associated files after execution. The content states OilRig signed malware with stolen certificates. It also describes a 2022 campaign in which OilRig deployed downloader families ODAgent, OilCheck, OilBooster, and an updated SampleCheck5000 against previously compromised Israeli organizations. Those downloaders abused legitimate Microsoft cloud APIs and services for command-and-control and exfiltration, including Microsoft Graph OneDrive API, Microsoft Graph Outlook API, and Exchange Web Services, and shared similarities with the MrPerfectionManager and PowerExchange backdoors. In observed cases, the downloaders used shared OilRig-operated email or cloud storage accounts, often reused across multiple victims. The content also notes that OilRig has been associated with use of SpyNote in prior campaigns, though one cited SpyNote case was attributed by the reporting organization to an unidentified actor rather than directly to OilRig. Separately, the content states that other actors have hijacked OilRig infrastructure and malware for their own campaigns, and that NSA/NCSC reporting has discussed adversaries compromising other adversaries' infrastructure in relation to Turla and OilRig.