ESET researchers analyzed a growing series of new OilRig downloaders that the group used in several campaigns throughout 2022 to maintain access to target organizations of special interest, all located in Israel.
They include an organization in the healthcare sector, a manufacturing company, and a local governmental organization.
OilRig is an APT group believed to be based in Iran, and its operations, as are these latest downloaders, are aimed at cyberespionage.
ESET attributes SC5k, OilCheck, ODAgent, and OilBooster to OilRig with a high level of confidence.
These downloaders share similarities with the MrPerfectionManager and PowerExchange backdoors - other recent additions to OilRig's toolset that use email-based C&C protocols - with the difference that SC5k, OilBooster, ODAgent, and OilCheck use attacker-controlled cloud service accounts rather than the victim's internal infrastructure.
The downloader ODAgent was detected in the network of a manufacturing company in Israel - interestingly, the same organization was previously affected by OilRig's SC5k downloader, and later by another new downloader, OilCheck, between April and June 2022.
SC5k and OilCheck have similar capabilities to ODAgent but use cloud-based email services for their C&C communications.
Throughout 2022, ESET observed the same pattern being repeated on multiple occasions, with new downloaders being deployed in the networks of previous OilRig targets: For example, between June and August 2022, ESET detected the OilBooster, SC5k v1, and SC5k v2 downloaders and the Shark backdoor, all in the network of a local governmental organization in Israel.
Later, ESET detected yet another SC5k version in the network of an Israeli healthcare organization, also a previous OilRig victim.
OilRig has used these downloaders only against a limited number of targets, according to ESET telemetry, and all of them were persistently targeted months earlier by other OilRig tools.
As it is common for organizations to access Office 365 resources, OilRig's cloud service-powered downloaders can thus blend more easily into the regular stream of network traffic - apparently also the reason why the attackers chose to deploy these downloaders to a small group of especially interesting, repeatedly victimized targets.
OilRig, also known as APT34, Lyceum, Crambus, or Siamesekitten, is a cyberespionage group that has been active since at least 2014 and is commonly believed to be based in Iran.
The group targets Middle Eastern governments and a variety of business verticals, including chemical, energy, financial, and telecommunications.
This Cyber News was published on www.helpnetsecurity.com. Publication date: Fri, 15 Dec 2023 12:13:05 +0000