The hacking group OilRig, with suspected ties to Iran, has been targeting Israeli manufacturing companies, local government organizations and the healthcare industry for over a year.
Researchers at IT security manufacturer ESET have uncovered a campaign by the APT group “OilRig” (also known as APT34, Lyceum, Crambus or Siamesekitten), which has been attacking local government organizations, manufacturing companies and also the healthcare sector in Israel since 2022.
OilRig uses legitimate cloud service providers for data exfiltration
The criminals, who are believed to be from Iran, are trying to penetrate the networks of Israeli organizations and find and exfiltrate sensitive data. For this purpose, OilRig uses a variety of new downloaders such as SampleCheck5000 (SC5k v1-v3), OilCheck, ODAgent and OilBooster. The distribution route is unusual: the hacker group uses legitimate cloud service providers for command and control communication (C&C) and data exfiltration. These include Microsoft Graph OneDrive, Outlook Application Programming Interfaces (APIs) and Microsoft Office Exchange Web Services API.
The OilRig toolset downloaders, including SC5k and OilCheck, are not particularly sophisticated. According to ESET researcher Zuzana Hromcová, who analyzed the malware together with ESET researcher Adam Burgher, OilRig is a group to be wary of. They continually develop new variants, experiment with different cloud services and programming languages, and constantly try to compromise their goals.
According to ESET Telemetry, OilRig limited the use of its downloaders to a small number of targets. Interestingly, these had already been attacked by other OilRig tools months before. Since it is common for companies to access Office 365 resources, OilRig can more easily integrate cloud-powered downloaders into regular network traffic.
The trail most likely leads to OilRig
ESET most likely attributes SC5k (v1-v3), OilCheck, ODAgent and OilBooster to OilRig. These downloaders share similarities with the MrPerfectionManager and PowerExchange backdoors, which were recently added to the OilRig toolset and use email-based C&C protocols. The difference is that SC5k, OilBooster, ODAgent and OilCheck do not use the victim's internal infrastructure, but cloud service accounts controlled by the attackers.
Repeated attacks on the same targets
The ODAgent downloader was discovered on the network of a manufacturing company in Israel. Interestingly, the same company was previously affected by the OilRig downloader SC5k and later by another new downloader, OilCheck, between April and June 2022. Although they have similar features to ODAgent, they use cloud-based email services for their C&C communications. In 2022, this pattern repeated itself several times. New downloaders were deployed in the networks of former OilRig targets. Between June and August 2022, the downloaders OilBooster, SC5k v1 and SC5k v2 as well as the backdoor Shark were discovered. These were all installed on the network of a local government organization in Israel. ESET later discovered another version of SC5k (v3) on the network of an Israeli healthcare organization, which was also a previous OilRig victim.
About OilRig
OilRig, also known as APT34, Lyceum, Crambus or Siamesekitten, is a cyber espionage group that has been active since at least 2014. It is believed to be based in Iran. The group targets governments and a variety of economic sectors - including chemicals, energy, finance and telecommunications - in the Middle East.
More at ESET.de
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.