Prolific Iranian advanced persistent threat group OilRig has repeatedly targeted several Israeli organizations throughout 2022 in cyberattacks that were notable for leveraging a series of custom downloaders that use legitimate Microsoft cloud services to conduct attacker communications and exfiltrate data.
OilRig in the attacks deployed four specific new downloaders - SampleCheck5000, ODAgent, OilCheck, and OilBooster - that were developed in the last year, adding the tools to the group's already large arsenal of custom malware, ESET researchers revealed in a blog post published Dec. 14.
Unique to the way the downloaders work versus other OilRig tools is that they use various legitimate cloud services - including Microsoft OneDrive, Microsoft Graph OneDrive API, Microsoft Graph Outlook API, and Microsoft Office EWS API - for command-and-control communications and data exfiltration, the researchers said.
Attack targets so far have included a healthcare organization, a manufacturing company, a local governmental organization, and several other unidentified organizations, all in Israel and most of them previous targets for the APT. The downloaders themselves are not particularly sophisticated, noted ESET researcher Zuzana Hromcová, who analyzed the malware along with ESET researcher Adam Burgher.
OilRig has used these downloaders against only a limited number of targets, all of whom were persistently targeted months earlier by other tools employed by the group.
The use of downloaders leveraging cloud services is an evasive tactic that allows the malware to blend more easily into the regular stream of network traffic - likely the reason that the APT uses them against repeat victims, according to ESET. OilRig APT: An Evolving, Persistent Threat OilRig is known to have been active since 2014, and primarily operates in the Middle East, targeting organizations in the region spanning a variety of industries, including but not limited to chemical, energy, financial, and telecommunications.
The group, which primarily deals in cyber espionage, was most recently tied to a supply chain attack in the UAE, but that's just one of many incidents to which it's been linked.
Last year, OilRig's various activities spurred the sanctioning of Iran's intelligence arm - which is believed to sponsor OilRig - by the US government.
ESET identified the APT as the perpetrator of the repeated attacks on Israeli organizations via the similarity between the downloaders and other OilRig tools that use email-based C2 protocols - namely, the MrPerfectionManager and PowerExchange backdoors.
OilRig appears to be a creature of habit, repeating the same attack pattern on multiple occasions, the researchers noted.
Between June and August 2022, ESET detected the OilBooster, SC5k v1, and SC5k v2 downloaders and the Shark backdoor, all in the network of a local governmental organization in Israel.
Later, ESET detected yet another SC5k version in the network of an Israeli healthcare organization, also a previous OilRig victim.
Inside OilRig's Stealthy Backdoor Malware All of the downloaders are written in C++/.NET except OilBooster, which is written in Microsoft Visual C/C++.
Common between them is the use of a shared email or cloud storage account to exchange messages with the OilRig operators that can be used against multiple victims.
The downloaders access this account to download commands and additional payloads staged by the operators, as well as to upload command output and staged files.
SC5k, which has several variants, is the first of the downloaders that appeared on the scene, using legitimate cloud services.
All of the variants use the Microsoft Office EWS API to interact with a shared Exchange mail account as a way to download additional payloads and commands, as well as to upload data.
Unlike SC5k, OilCheck uses the REST-Microsoft Graph API to access a shared Microsoft 365 Outlook email account, not the SOAP-based Microsoft Office EWS API. OilBooster also uses the Microsoft Graph API to connect to a Microsoft 365 account, but unlike OilCheck, it uses this API to interact with a OneDrive account controlled by the attackers for C2 communication and exfiltration rather than an Outlook account, the researchers said.
OilBooster's capabilities include downloading files from the remote server, executing files and shell commands, and exfiltrating the results.
ODAgent uses the Microsoft Graph API to access an attacker-controlled OneDrive account for C2 communication and exfiltration and is believed to be a precursor of OilBooster, according to the researchers.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 14 Dec 2023 16:25:35 +0000