The pro-Iranian APT group has developed and actively used throughout 2022 a series of downloaders powered by cloud services
Researchers of ESET, a global European leader in the cybersecurity market, have identified a growing set of new OilRig downloaders which the group has used in several campaigns throughout 2022 to maintain access to target organizations of particular interest, all located in Israel. These include a healthcare organization, a manufacturing company, and a local government organization. OilRig is an APT group believed to be based in Iran and its operations, like these latest downloaders, are aimed at cyberespionage. The new downloaders – SampleCheck5000 (SC5k v1-v3), OilCheck, ODAgent and OilBooster – are notable for using legitimate cloud storage and cloud-based email services for command and control (C&C) communications and data exfiltration, specifically the Microsoft Graph OneDrive or Outlook Application Programming Interfaces (APIs) and the Microsoft Office Exchange Web Services API.
"Like the rest of OilRig's tools, these downloaders are not particularly sophisticated. However, the continuous development and testing of new variants, the experimentation with various cloud services and different programming languages, and the determination to compromise the same objectives time and time again make OilRig a group worth watching," he says Zuzana Hromcová, ESET researcher, who analyzed the malware together with his colleague Adam Burgher.
ESET attributes the SC5k (v1-v3), OilCheck, ODAgent and OilBooster downloaders to OilRig with a high level of probability. These tools share similarities with the MrPerfectionManager and PowerExchange backdoors – other recent additions to the OilRig toolset that use email-based C&C protocols – with the difference that the 4 downloaders use cloud service accounts controlled by the attacker rather than the victim's internal infrastructure.
The ODAgent downloader was detected in the network of a manufacturing company in Israel – interestingly, the same organization was previously hit by OilRig's SC5k downloader and later by OilCheck, between April and June 2022. SC5k and OilCheck have similar capabilities to ODAgent, but use cloud-based email services for C&C communications. Throughout 2022, ESET observed the same pattern repeating itself on multiple occasions, with new downloaders being deployed into the networks of previous OilRig targets. For example, between June and August 2022, ESET intercepted the OilBooster, SC5k v1 and SC5k v2 downloaders, and the Shark backdoor, all in the network of a local government organization in Israel. Subsequently, ESET registered another version of SC5k (v3) in the network of an Israeli healthcare organization, which was also already a victim of OilRig.
According to ESET telemetry readings, the APT group only used these downloaders against a limited number of targets, and all of them were persistently targeted months earlier by other OilRig tools. Because it is common for organizations to access Office 365 resources, OilRig's downloaders, powered by the cloud service, can more easily blend into the regular flow of network traffic – apparently the same reason attackers have chosen to distribute these downloaders to a small group of particularly interesting and repeatedly targeted targets.
OilRig, also known as APT34, Lyceum, Crambus, or Siamesekitten, is a cyberespionage group active since at least 2014 and commonly believed to be based in Iran. The group targets Middle Eastern governments and a range of business sectors, including chemicals, energy, finance and telecommunications.
For more technical information on the latest OilRig downloaders, see the blog post “OilRig’s persistent attacks using cloud service-powered downloaders” are WeLiveSecurity.com.
