Throughout 2022, the Iranian threat group OilRig developed a series of new downloaders that utilized legitimate cloud storage and cloud-based email services for command and control (C&C) as well as data exfiltration. These downloaders were specifically targeted against entities in Israel, with many of these targets having been previously compromised by other OilRig tools. This approach suggests that OilRig favored these lightweight yet effective downloaders to maintain access to networks of interest. The downloaders included SC5k, OilBooster, ODAgent, and OilCheck, which differed from other backdoors like MrPerfectionManager and PowerExchange by using attacker-controlled cloud service accounts rather than the victim’s internal infrastructure. This shift to legitimate cloud service providers for C&C communication aimed to conceal malicious communication and obscure the group’s network infrastructure.
Among the tools developed by OilRig, OilBooster is notable. It is a 64-bit portable executable written in Microsoft Visual C/C++ with statically linked OpenSSL and Boost libraries. OilBooster uses the Microsoft Graph API to interact with a OneDrive account controlled by the attackers for C&C communication and exfiltration, unlike OilCheck, which uses the same API but interacts with an Outlook account. OilBooster's capabilities include downloading files from the remote server, executing files and shell commands, and exfiltrating results.
The SC5k v3 downloader, another tool in OilRig’s arsenal, uses a shared Exchange account for C&C communication. It indicates its active status to attackers by creating a new draft in the Exchange account with a specific From field. This keep-alive message is renewed with each connection to the remote Exchange server.
OilCheck, discovered in April 2022, is a C#/.NET downloader that also uses draft messages in a shared email account for C&C communication. Unlike SC5k, OilCheck manually builds API requests to access a shared Microsoft Office 365 Outlook email account using the REST-based Microsoft Graph API.
OilBooster's downloader loop involves connecting to the shared OneDrive account to retrieve files with specific extensions in a victim-specific subdirectory. If unsuccessful after multiple attempts, it connects to a fallback C&C server to acquire a new refresh token.
For processing downloaded files, OilBooster distinguishes between files with .doc and .docx extensions. Files with the .doc extension are actually JSON files with encrypted commands, which are executed on the compromised host. Files with the .docx extension are compressed and encrypted files that are unpacked on the compromised system.
In terms of exfiltration, OilBooster compresses and encrypts files from a local directory and uploads them to the victim’s folder on the shared OneDrive account.
ODAgent, a precursor to OilBooster, is another application developed by OilRig. It is a C#/.NET application that uses the Microsoft Graph API to access an attacker-controlled OneDrive account for similar purposes.
These tools, while not particularly sophisticated and somewhat noisy on the system, demonstrate OilRig's continuous development and testing of new variants. The group's experimentation with various cloud services and different programming languages, as well as its persistence in re-compromising the same targets, underscores the potential threat posed by OilRig in the cybersecurity landscape.
IoC
URL
- http://host1.com/rt.ovf
SHA1
- ea8c3e9f418dcf92412eb01fcdcdc81fdd591bf1
- e78830384ff14a58df36303602bc9a2c0334a2a4
- ddf0b7b509b240aab6d4ab096284a21d9a3cb910
- c225e0b256edb9a2ea919bacc62f29319de6cb11
- c04f874430c261aabd413f27953d30303c382953
- be9b6aca8a175df61f2c75932e029f19789fd7e3
- ba439d2fc3298675f197c8b17b79f34485271498
- aef3140cd0ee6f49bfcc41f086b7051908b91bdd
- aae958960657c52b848a7377b170886a34f4ae99
- a97f4b4519947785f66285b546e13e52661a6e6f
- a56622a6ef926568d0bdd56fedbff14bd218ad37
- 8d84d32df5768b0d4d2ab8b1327c43f17f182001
- 7e498b3366f54e936cb0af767bfc3d1f92d80687
- 7ad4dcda1c65accc9ef1e168162de7559d2fdf60
- 6001a008a3d3a0c672e80960387f4b10c0a7bd9b
- 51b6ec5de852025f63740826b8edf1c8d22f9261
- 3bf19ae7fb24fce2509623e7e0d03b5a872456d4
- 35e0e78ec35b68d3ee1805eeceea352c5fe62eb6
- 2236d4dcf68c65a822ff0a2ad48d4df99761ad07
REFERENCES
- https://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/
- https://otx.alienvault.com/pulse/657b11ab57c4b75f5004b236
TAGS
oilrig, oilbooster, sc5k, odagent, oilcheck, victimid, python, milan, apt34, dnspionage, cmex, c#/.net, industrial
No comments:
Post a Comment