In this blog, we provide an in-depth analysis of OilRig's modus operandi, detailing its latest operational tactics and how they adapt to shifting cybersecurity landscapes.
OilRig first surfaced in mid-2016, though some evidence suggests it may have been active even earlier. Originally identified while targeting Saudi Arabian organizations, OilRig has since expanded its focus primarily across the Middle East. The group is widely believed to be aligned with Iranian state interests, primarily engaged in intelligence gathering to support Iran's geopolitical strategies. The group is known by various aliases, including APT34 and Helix Kitten, and it is often associated with other Iranian threat actors, such as Crambus, GreenBug, and Cobalt Gypsy, hinting at a shared infrastructure and coordinated objectives within Iranian cyber operations [1]. This interconnectedness is a common feature among state-sponsored actors, where resource and strategy-sharing align disparate groups toward unified national objectives.
OilRig's early operations largely relied on spearphishing campaigns aimed at Saudi organizations, utilizing the Helminth backdoor and highlighting the group's skill in social engineering, particularly within government and critical infrastructure sectors. As OilRig expanded, so did its capabilities, with later tools such as the QUADAGENT and ISMAgent backdoors exemplifying its ability to craft customized malware for specific targets. Over time, OilRig has evolved its techniques, leveraging open-source tools like Invoke-Obfuscation to bypass detection and adding layers of obfuscation and custom payloads to outmaneuver defenses. A significant campaign in mid-2018 saw the deployment of the QUADAGENT backdoor against technology providers and governmental bodies in the Middle East, showcasing its proficient use of scripting and obfuscation. Most recently, OilRig exploited vulnerabilities such as CVE-2024-30088, demonstrating a continued ability to incorporate zero-day or recently disclosed vulnerabilities into its toolkit.
OilRig has a well-documented history of impactful cyberattacks, with a primary focus on sectors across the Middle East. These operations have targeted government entities, energy and oil industries, telecommunications providers, and critical infrastructure, aligning with the group's strategic aim of intelligence gathering and geopolitical influence. Each attack demonstrates not only OilRig's evolving tactics but also its adaptability in circumventing enhanced cybersecurity defenses. Through spearphishing, malware implants, and exploitation of zero-day vulnerabilities, OilRig consistently refines its techniques to remain effective in its mission.
As OilRig's activities grow in scope and technical complexity, their attacks illustrate the persistent threat they pose, particularly to organizations that manage sensitive data or strategic assets. In the following section, we explain significant incidents and attacks carried out by the OilRig APT group.
OilRig's prominence in the cyber threat landscape began with their deployment of the Helminth backdoor, primarily targeting Saudi Arabian organizations [2]. The campaign involved spearphishing emails containing malicious attachments that, once opened, allowed the attackers to gain remote access and execute arbitrary code on compromised systems.
OilRig has risen to prominence with its strategic use of the Helminth backdoor, an advanced malware tool that enabled stealthy, sustained access to targeted systems. This campaign primarily focused on Saudi Arabian organizations, with a clear emphasis on espionage within sectors critical to national infrastructure and economic stability. The initial attacks were launched through carefully crafted spearphishing emails, which contained malicious attachments disguised as harmless documents or files relevant to the target's interests. Once the attachment was opened, it executed the Helminth backdoor, giving OilRig unrestricted access to compromised systems.
With the Helminth backdoor installed, OilRig could execute arbitrary code, enabling it to perform a wide range of malicious actions, from escalating privileges within the network to exfiltrating sensitive information. The attackers could stealthily gather intelligence over an extended period, achieving a level of persistence that allowed them to collect critical data from targeted organizations. Through this campaign, OilRig established a lasting impact on the region and marked the beginning of its reputation as a formidable cyber-espionage actor.
Between February and June 2018, OilRig launched a series of attacks leveraging the QUADAGENT backdoor, a PowerShell-based malware designed for stealth and persistence [3]. This campaign targeted a technology services provider and a government entity in the Middle East, signaling a shift in OilRig's strategy toward exploiting inter-organizational dependencies. By compromising a government agency's email accounts, OilRig utilized these trusted channels to send carefully crafted spearphishing emails that appeared legitimate, thereby increasing the chances of bypassing email security filters. Once recipients opened these emails, the embedded malware initiated the deployment of QUADAGENT, granting the attackers remote access and control over infected systems.
One of the campaign's standout features was OilRig's use of advanced obfuscation techniques. QUADAGENT's reliance on PowerShell allowed OilRig to encode and obscure their commands, concealing malicious intent within what appeared to be normal operations. This level of obfuscation proved effective in evading traditional detection methods, complicating incident response efforts, and extending OilRig's presence on the compromised networks.
The QUADAGENT attacks showed OilRig's skill in capitalizing on supply chain vulnerabilities and network interdependencies. By targeting a technology services provider, OilRig gained indirect access to a broader network of organizations reliant on the compromised services, allowing them to potentially pivot to other high-value targets. This ripple effect amplified the impact of the attacks, illustrating the broader risks that arise when a single service provider is compromised.
In their most recent campaigns, OilRig was observed exploiting a privilege escalation vulnerability, CVE-2024-30088, affecting the Windows Kernel [4]. This vulnerability allowed OilRig to elevate access privileges to the SYSTEM level, providing them with extensive control over compromised machines. With this privileged access, they deployed their custom STEALHOOK backdoor on targeted servers, enabling stealthy, prolonged monitoring and data extraction capabilities. The STEALHOOK backdoor itself is known for its robust functionality, allowing OilRig to perform actions ranging from lateral movement across networks to extracting sensitive files and credentials, giving the group a powerful foothold within compromised environments [5].
Within a short time of CVE-2024-30088's disclosure, OilRig had weaponized the vulnerability. The rapid operationalization of vulnerabilities allowed OilRig to strike targets before organizations could patch the flaw, maximizing their chances of success and highlighting a gap in common patch management processes.
One particularly impactful tactic in this attack was OilRig's use of Microsoft Exchange Servers to extract credentials. By leveraging Exchange Servers, OilRig accessed and harvested credentials stored within, facilitating further infiltration and lateral movement. This approach enabled them to gather credentials from multiple accounts, escalating their access across the network while minimizing exposure by targeting an essential service.
OilRig, also known as APT34, employs a comprehensive suite of tactics, techniques, and procedures (TTPs) that showcase their sophistication and adaptability in cyber espionage operations. Leveraging the MITRE ATT&CK framework, we can better understand their operational methods and tools. Here, we map the relevant TTPs used by OilRig based on the provided sources.
T1078 Valid Accounts
OilRig regularly exploits compromised credentials to gain initial access to target networks, often relying on carefully crafted spearphishing campaigns to collect these credentials. In these campaigns, OilRig typically targets email accounts, sending phishing messages designed to trick recipients into divulging their credentials or accessing a malicious link. Once acquired, these valid credentials allow OilRig to bypass perimeter defenses and enter the network with what appears to be legitimate access. This approach not only minimizes the need for brute-force attacks but also reduces detection likelihood, as the group can blend in as a regular user.
T1566 Phishing
Phishing is a cornerstone tactic for OilRig, which consistently uses spearphishing emails with malicious links or attachments for initial access. The group often leverages social media platforms like LinkedIn, sending messages that appear to be from trusted contacts within the recipient's network. By targeting individuals with these familiar links or attachments, OilRig enhances the credibility of its campaigns, increasing the likelihood of user interaction. This approach not only amplifies the effectiveness of each phishing attempt but also capitalizes on the trust inherent in professional networks to broaden its reach and deepen infiltration within specific industries or organizations.
T1059 Command and Scripting Interpreter
OilRig relies heavily on scripting languages, particularly PowerShell and Visual Basic, to execute commands within compromised environments. By using PowerShell, the group can execute arbitrary commands, maintain persistence, and manipulate system settings without drawing attention. Script-based backdoors, such as those encoded within PowerShell, allow OilRig to bypass security controls while maintaining control over infected machines. This scripting approach enables threat actors to leverage legitimate system utilities for malicious activities, making it harder for detection tools to flag these activities.
T1204 User Execution
OilRig frequently sends macro-enabled documents that require user interaction, instructing targets to "Enable Content" to view the document's contents. Once enabled, this triggers the execution of embedded payloads such as QUADAGENT, which can initiate system compromise and open a channel for further malware installation. This social engineering tactic exploits human psychology, as recipients are encouraged to follow instructions to access seemingly important or confidential information. By depending on user execution to activate malicious code, OilRig minimizes technical barriers, shifting reliance to social manipulation to achieve an initial foothold within targeted environments.
T1053 Scheduled Task/Job
OilRig utilizes scheduled tasks to ensure the persistent execution of their payloads on compromised machines. These tasks are configured to run at specific intervals, allowing the group to maintain continuous access to the infected systems without needing to manually trigger execution. Scheduled tasks are particularly effective for maintaining stealth and avoiding detection, as they blend in with legitimate system processes. By setting up these tasks to execute malware scripts or command-and-control (C2) communications at regular intervals, OilRig can maintain a foothold on the network, even if the malware itself is temporarily detected or removed. This tactic is also used to refresh malware persistence in case of system reboots or clean-up efforts, ensuring that their operations can continue without interruption.
T1068 Exploitation for Privilege Escalation
In one of their most recent campaigns, OilRig exploited CVE-2024-30088, a zero-day vulnerability within the Windows Kernel, to escalate their privileges to SYSTEM-level access on compromised systems. This privilege escalation allowed the group to bypass normal user-level restrictions, granting them full control over the infected machines and making it more difficult for defenders to detect or remove the attackers.
T1027 Obfuscated Files or Information
OilRig employs a variety of obfuscation techniques to hide the true nature of their PowerShell scripts and evade detection by security monitoring systems. One of their primary tools for obfuscation is Invoke-Obfuscation, a widely used open-source tool for disguising PowerShell scripts. Obfuscation prevents defenders from identifying the malware's functionality and makes it more difficult to detect through traditional signature-based or heuristic analysis methods. By hiding the true intentions of their PowerShell scripts, OilRig ensures that their activities remain concealed for longer, even when under scrutiny, thereby reducing the chances of early detection and interruption.
T1140 Deobfuscate/Decode Files or Information
In addition to obfuscating their scripts, OilRig often employs base64 encoding to further hide malicious content within their files. Base64 encoding is a common technique used to encode binary data into ASCII text, making it more challenging for antivirus or endpoint detection tools to flag malicious files. When the encoded content is executed, OilRig decodes it on the fly, ensuring that the actual payload is only revealed at runtime. By using these encoding techniques, OilRig can bypass early-stage security controls that may scan files before execution, giving them a window of opportunity to carry out their attacks undetected.
T1555 Credentials from Password Stores
OilRig extracts sensitive credentials stored in various password stores, which include both system-specific and application-specific credential repositories. OilRig uses tools like LaZagne and custom-developed DLLs such as psgfilter.dll. LaZagne helps the group extract plaintext credentials from a variety of password storage locations, including browsers, email clients, and Windows' built-in credential manager. In addition, they have developed custom tools like psgfilter.dll, which act as password filters to capture plaintext credentials from domain controllers and local machines as users log in.
T1003 OS Credential Dumping
OilRig frequently uses OS Credential Dumping techniques to extract credentials directly from the operating system memory. Using Mimikatz, a popular post-exploitation tool, attackers dump LSASS memory to extract credentials. This technique allows OilRig to bypass password encryption mechanisms and obtain plaintext credentials, which can then be used to escalate privileges or maintain persistence in compromised systems. This credential dumping technique is particularly effective in environments with weak security controls or where endpoint detection and response (EDR) systems are not properly configured to detect memory scraping activities.
T1016 System Network Configuration Discovery
OilRig uses this technique to gather comprehensive network configuration data, including IP addresses, subnet masks, gateways, DNS servers, and other network interface details. This information is essential for OilRig to map out the network structure, understand its topology, and identify key systems such as domain controllers, file servers, and other critical infrastructure. With this data, OilRig can plan its next moves within the network, such as identifying potential targets for lateral movement or figuring out how to maintain persistent access to vital resources.
T1021 Remote Services
OilRig exploits remote services to extend its attack campaign across networks, using tools such as Putty for SSH access. Once OilRig has established a foothold on one system within a network, they often deploy SSH or other remote service tools to establish a secure, encrypted channel for command-and-control (C2) communications. By using tools like Putty, OilRig can maintain control over compromised systems, execute remote commands, and move laterally within the network to further compromise additional machines. This tactic is particularly useful for OilRig in environments where traditional methods of lateral movement, such as SMB or RDP, may be monitored or blocked. The use of remote services helps OilRig circumvent defenses, maintain operational security, and extend its control across a broader set of systems.
T1056 Input Capture
OilRig uses keylogging tools, like KEYPUNCH and LONGWATCH, to intercept and record keystrokes from compromised systems. These tools are designed to monitor and capture user input in real-time, allowing OilRig to obtain sensitive information such as usernames, passwords, and other confidential data entered by users. By capturing keystrokes, OilRig can effectively bypass other authentication mechanisms, especially if the targeted systems rely on manual user input to access sensitive resources. This technique is particularly effective for harvesting credentials, including those used for VPNs, databases, email accounts, and internal network access.
T1573 Encrypted Channel
OilRig utilizes encrypted channels for secure communication between compromised machines and their command-and-control (C2) servers, allowing them to exfiltrate data and issue commands with a high degree of confidentiality. These encrypted channels are typically achieved through tunneling protocols, ensuring that all communications are hidden from detection by security monitoring tools. By encrypting their communications, OilRig ensures that even if the C2 traffic is intercepted, it remains unreadable and difficult to analyze, further obfuscating their activities.
T1071 Application Layer Protocol
OilRig relies heavily on Application Layer Protocols, specifically HTTP and HTTPS, to maintain communication with its Command and Control (C2) infrastructure. OilRig leverages these protocols to communicate with their C2 servers in a way that blends in with regular web traffic, reducing the chances of their communications being flagged by network defenders or security monitoring systems. HTTPS, in particular, provides an added layer of encryption, allowing OilRig to securely transmit data between compromised systems and C2 infrastructure without exposing it to interception. If HTTP or HTTPS communication channels are blocked or disrupted, OilRig has fallback mechanisms in place, including DNS tunneling, to bypass network restrictions and maintain access to their C2 infrastructure.
T1572 Protocol Tunneling
Protocol tunneling provides a covert means for OilRig to continue operations, especially in networks where more conventional methods of communication (such as standard HTTP/S) may be monitored or blocked by intrusion detection systems (IDS) or firewalls. For this technique, OilRig uses Plink to ensure secure and uninterrupted communication with their C2 infrastructure. This tool enables OilRig to create encrypted tunnels that encapsulate malicious traffic, allowing OilRig to exfiltrate sensitive data or issue commands without raising red flags. This technique is also used for data exfiltration, as OilRig can use the secure tunnel to send large volumes of stolen data back to their C2 infrastructure without detection.
T1048 Exfiltration Over Alternative Protocol
In addition to other tunneling techniques, OilRig is observed to use other non-standard exfiltration channels, such as FTP (File Transfer Protocol), to exfiltrate stolen data. FTP can be easily overlooked in network traffic monitoring, especially in environments where FTP services are expected. This makes it a useful tool for evading detection during data exfiltration. By leveraging FTP, OilRig can upload large volumes of stolen data to remote servers under the guise of normal network activity. This approach allows the group to move beyond common exfiltration methods, such as HTTP or DNS-based techniques, to avoid overreliance on a single communication method that might be detected or blocked by security systems.
T1497 Virtualization/Sandbox Evasion
Sandboxes are often used by security analysts and automated systems to safely execute and analyze potentially malicious files in an isolated environment before they are deployed in a live system. OilRig has adapted to this defensive measure by incorporating checks into their malware to detect when they are running in such analysis environments. These checks include actions such as verifying the presence of connected peripherals (e.g., external drives or virtual network interfaces) or inspecting system attributes that are characteristic of virtualized or sandboxed environments. If these indicators are detected, the malware can adjust its behavior to either delay execution, disable itself, or trigger decoys, ensuring that it doesn't show its true malicious nature in an environment that is being actively monitored.
The following are the known Indicators of Compromise (IOCs) associated with the OilRig threat group. These IOCs include file hashes, IP addresses, and other relevant artifacts identified through various analyses and reports.
QUADAGENT
d7130e42663e95d23c547d57e55099c239fa249ce3f6537b7f2a8033f3aa73de
OilRig ThreeDollars
1f6369b42a76d02f32558912b57ede4f5ff0a90b18d3b96a4fe24120fa2c300c
mscom.exe
0ca0febadb1024b0a8961f21edbf3f6df731ca4dd82702de3793e757687aefbc
People List.xls
9f31a1908afb23a1029c079ee9ba8bdf0f4c815addbe8eac85b4163e02b5e777
Dell.exe
5db93f1e882f4d7d6a9669f8b1ab091c0545e12a317ba94c1535eb86bc17bd5b
To effectively defend against Cozy Bear attacks, organizations should implement a comprehensive cybersecurity strategy encompassing the following measures:
Strengthen Access Controls:
Implement Multi-Factor Authentication (MFA): Require MFA for all user accounts, especially those with administrative privileges, to add an extra layer of security.
Enforce Strong Password Policies: Mandate complex passwords and regular updates to reduce the risk of credential compromise.
Least Privilege Principle: Restrict user access to only the data and systems necessary for their role.
Implement Network Segmentation:
Isolate Critical Systems: Separate essential services and data from the broader network to limit lateral movement in case of a breach.
Microsegmentation: Isolate critical systems (e.g., Microsoft Exchange Servers) to limit lateral movement opportunities.
Control Inter-Segment Communication: Use firewalls and access controls to manage traffic between network segments.
On-time Patch Management:
Prioritize Critical Patches: Address vulnerabilities like CVE-2024-30088 promptly, especially in widely used platforms like Windows and Exchange.
Virtual Patching: For systems where updates are delayed, use security tools to block exploitation attempts.
Perform Regular Vulnerability Scanning: Identify and remediate security gaps across your environment.
Harden Endpoint and Server Security
Endpoint Detection and Response (EDR): Deploy tools capable of identifying and mitigating malware like QUADAGENT and STEALHOOK.
Behavior-Based Detection: Use tools that identify unauthorized privilege escalation attempts on endpoints.
OilRig, also known as APT34 or Helix Kitten, remains a formidable and persistent threat in the cyber landscape, especially within the Middle East. Their operations showcase an impressive blend of technical expertise, strategic precision, and adaptability, making them a serious adversary for organizations worldwide. As OilRig continually evolves to leverage new vulnerabilities and global developments, cybersecurity teams must proactively adapt defense strategies. By understanding OilRig's tactics, from sophisticated credential theft to exploitation of critical vulnerabilities, organizations can strengthen their resilience, implementing robust monitoring and layered defenses to stay one step ahead of this persistent threat.
[1] “OilRig.” Available: https://attack.mitre.org/groups/G0049/
[2] R. Falcone and B. Lee, “The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor,” Unit 42, May 26, 2016. Available: https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/
[3] “SCANdalous! (External Detection Using Network Scan Data and Automation),” Google Cloud Blog, Jul. 13, 2020. Available: https://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation
[4] The Hacker News, “OilRig Exploits Windows Kernel Flaw in Espionage Campaign Targeting UAE and Gulf,” The Hacker News, Oct. 13, 2024. Available: https://thehackernews.com/2024/10/oilrig-exploits-windows-kernel-flaw-in.html
[5] “Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East,” Trend Micro, Oct. 11, 2024. Available: https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html