The Iranian state-sponsored menace actor referred to as OilRig deployed three completely different downloader malware all through 2022 to keep up persistent entry to sufferer organizations situated in Israel.
The three new downloaders have been named ODAgent, OilCheck, and OilBooster by Slovak cybersecurity firm ESET. The assaults additionally concerned using an up to date model of a identified OilRig downloader dubbed SampleCheck5000 (or SC5k).
“These light-weight downloaders […] are notable for utilizing one in every of a number of reliable cloud service APIs for [command-and-control] communication and knowledge exfiltration: the Microsoft Graph OneDrive or Outlook APIs, and the Microsoft Workplace Alternate Net Companies (EWS) API,” safety researchers Zuzana Hromcová and Adam Burgher mentioned in a report shared with The Hacker Information.
Through the use of well-known cloud service suppliers for command-and-control communication, the objective is to mix with genuine community visitors and canopy up the group’s assault infrastructure.
A number of the targets of the marketing campaign embrace a corporation within the healthcare sector, a producing firm, and a neighborhood governmental group, amongst others. All of the victims are mentioned to have been beforehand focused by the menace actor.
Beat AI-Powered Threats with Zero Belief – Webinar for Safety Professionals
Conventional safety measures will not minimize it in in the present day’s world. It is time for Zero Belief Safety. Safe your knowledge like by no means earlier than.
The precise preliminary entry vector used to compromise the targets is presently unclear and it isn’t identified if the attackers managed to retain their foothold within the networks in order to deploy these downloaders at varied factors of time in 2022.
OilRig, also called APT34, Crambus, Cobalt Gypsy, Hazel Sandstorm (previously EUROPIUM), and Helix Kitten, is an Iranian cyber espionage group that is identified to be energetic since at the least 2014, utilizing a variety of malware at its disposal to focus on entities within the Center East.
This 12 months alone, the hacking crew has been noticed leveraging novel malware like MrPerfectionManager, PowerExchange, Photo voltaic, Mango, and Menorah.
ODAgent, first detected in February 2022, is a C#/.NET downloader that makes use of Microsoft OneDrive API for command-and-control (C2) communications, permitting the menace actor to obtain and execute payloads, and exfiltrate staged information.
SampleCheck5000, then again, is designed to work together with a shared Microsoft Alternate mail account to obtain and execute further OilRig instruments utilizing the Workplace Alternate Net Companies (EWS) API.
OilBooster, in the identical means as ODAgent, makes use of Microsoft OneDrive API for C2, whereas OilCheck adopts the identical method as SampleCheck5000 to extract instructions embedded in draft messages. However as an alternative of utilizing the EWS API, it leverages Microsoft Graph API for community communications.
OilBooster can also be just like OilCheck in that it employs the Microsoft Graph API to hook up with a Microsoft Workplace 365 account. What’s completely different this time round is that the API is used to work together with an actor-controlled OneDrive account versus an Outlook account as a way to fetch instructions and payloads from victim-specific folders.
These instruments additionally share similarities with MrPerfectionManager and PowerExchange backdoors in terms of utilizing email-based C2 protocols to exfiltrate knowledge, though within the case of the latter, the victimized group’s Alternate Server is used to ship messages to the attacker’s e mail account.
“In all circumstances, the downloaders use a shared (e mail or cloud storage) OilRig-operated account to change messages with the OilRig operators; the identical account is often shared by a number of victims,” the researchers defined.
“The downloaders entry this account to obtain instructions and extra payloads staged by the operators, and to add command output and staged information.”
