The Iranian state-sponsored threat actor known as OilRig deployed three different downloader malware throughout 2022 to maintain persistent access to victim organizations located in Israel.
The three new downloaders have been named ODAgent, OilCheck, and OilBooster by Slovak cybersecurity company ESET. The attacks also involved the use of an updated version of a known OilRig downloader dubbed SampleCheck5000 (or SC5k).
“These lightweight downloaders […] are notable for using one of several legitimate cloud service APIs for [command-and-control] communication and data exfiltration: the Microsoft Graph OneDrive or Outlook APIs, and the Microsoft Office Exchange Web Services (EWS) API,” security researchers Zuzana Hromcová and Adam Burgher said in a report shared with The Hacker News.
By using well-known cloud service providers for command-and-control communication, the goal is to blend with authentic network traffic and cover up the group’s attack infrastructure.
Some of the targets of the campaign include an organization in the healthcare sector, a manufacturing company, and a local governmental organization, among others. All the victims are said to have been previously targeted by the threat actor.
Beat AI-Powered Threats with Zero Trust – Webinar for Security Professionals
Traditional security measures won’t cut it in today’s world. It’s time for Zero Trust Security. Secure your data like never before.
The exact initial access vector used to compromise the targets is currently unclear and it’s not known if the attackers managed to retain their foothold in the networks so as to deploy these downloaders at various points of time in 2022.
OilRig, also known as APT34, Crambus, Cobalt Gypsy, Hazel Sandstorm (formerly EUROPIUM), and Helix Kitten, is an Iranian cyber espionage group that’s known to be active since at least 2014, using a wide range of malware at its disposal to target entities in the Middle East.
ODAgent, first detected in February 2022, is a C#/.NET downloader that utilizes Microsoft OneDrive API for command-and-control (C2) communications, allowing the threat actor to download and execute payloads, and exfiltrate staged files.
SampleCheck5000, on the other hand, is designed to interact with a shared Microsoft Exchange mail account to download and execute additional OilRig tools using the Office Exchange Web Services (EWS) API.
OilBooster, in the same way as ODAgent, uses Microsoft OneDrive API for C2, whereas OilCheck adopts the same technique as SampleCheck5000 to extract commands embedded in draft messages. But instead of using the EWS API, it leverages Microsoft Graph API for network communications.
OilBooster is also similar to OilCheck in that it employs the Microsoft Graph API to connect to a Microsoft Office 365 account. What’s different this time around is that the API is used to interact with an actor-controlled OneDrive account as opposed to an Outlook account in order to fetch commands and payloads from victim-specific folders.
These tools also share similarities with MrPerfectionManager and PowerExchange backdoors when it comes to using email-based C2 protocols to exfiltrate data, although in the case of the latter, the victimized organization’s Exchange Server is used to send messages to the attacker’s email account.
“In all cases, the downloaders use a shared (email or cloud storage) OilRig-operated account to exchange messages with the OilRig operators; the same account is typically shared by multiple victims,” the researchers explained.
“The downloaders access this account to download commands and additional payloads staged by the operators, and to upload command output and staged files.”