APT Threat Actor ‘OilRig’ Returns


Saturday, July 25th, 2020 |

OilRig, an APT threat actor first discovered in 2017, has recently resurfaced and has been linked to a series of cyberattacks on a telecom company in the Middle East. These attacks are especially alarming as they utilized a revised backdoor tool attributed to the group, named RDAT. First discovered in 2017, RDAT is a backdoor specifically used by OilRig and has gone through substantial changes since it was first debuted.

What makes this backdoor especially troubling is by its unique use of steganography to hide commands and data within bitmap images attached to email. While this unique command-and-control channel has only recently been discovered, Palo Alto Network’s Unit 42, those who uncovered this recent attack, believe that the previously mentioned steganography was added to RDAT in 2018. This update allows the use of Exchange Web Services to send and receive emails for C2 communications. In their report, Unit 42 claims that

                This email-based C2 channel is novel in its design, as it relies on steganography to hide commands and exfiltrates data within BMP images attached to the emails. The combination of using emails with steganographic images to carry the data across the C2 can result in this activity being much more difficult to detect and allow for higher chances of defense evasion.

It’s also important to note that along with RDAT, OilRig has used custom Mimikatz tools for collecting credentials, Bitvise to create SSH tunnels and PowerShell downloaders to perform post-exploitation activities.

OilRig is believed to be a state-sponsored group operating with the help of the Iranian intelligence agency as well as the Islamic Revolutionary Guard Corps. Its main purpose appears to be espionage targeted at financial, aviation, infrastructure, government, and university organizations centered in the Middle East region. The group has also been known as Cobalt Gypsy, Crambus, Helix Kitten, and APT34 and is known for continually evolving its tools.


Sources:


Indicators of Compromise:

  • Files Associated with Attack on Telecommunications Organization
    • 4ea6da6b35c4cdc6043c3b93bd6b61ea225fd5e1ec072330cb746104d0b0a4ec
      • RDAT backdoor
    • e53cc5e62ba15e43877ca2fc1bee16061b4468545d5cc1515cb38000e22dd060  
      • Custom Mimikatz
    • 476b40796be68a5ee349677274e438aeda3817f99ba9832172d81a2c64b0d4ae
      • Bitvise client
    • 78584dadde1489a5dca0e307318b3d2d49e39eb3987de52e288f9882527078d5
      • PowerShell downloader
  • RDAT Samples
    • 7395a3ada245df6c8ff1d66fcb54b96ae12961d5fd9b6a57c43a3e7ab83f3cc2
    • 8f943bc5b20517fea08b2d0acc9afe8990703e9d4f7015b98489703ca51da7eb
    • 8120849fbe85179a16882dd1a12a09fdd3ff97e30c3dfe52b43dd2ba7ed33c2a
    • bcdb63b3520e34992f292bf9a38498f49a9ca045b7b40caab5302c76ca10f035
    • f42c2b40574dc837b33c1012f7b6f41fcccc5ebf740a2b0af64e2c530418e9e0
    • fcabb86331cd5e2fa9edb53c4282dfcb16cc3d2cae85aabf1ee3c0c0007e508c
    • 7b5042d3f0e9f077ef2b1a55b5fffab9f07cc856622bf79d56fc752e4dc04b28
    • ee32bde60d1175709fde6869daf9c63cd3227155e37f06d45a27a2f45818a3dc
    • de3f1cc2d4aac54fbdebd5bd05c9df59b938eb79bda427ae26dedef4309c55a9
    • 4ea6da6b35c4cdc6043c3b93bd6b61ea225fd5e1ec072330cb746104d0b0a4ec
    • acb50b02ab0ca846025e7ad6c795a80dc6f61c4426704d0f1dd7e195143f5323
    • 55282007716b2b987a84a790eb1c9867e23ed8b5b89ef1a836cbedaf32982358
    • ba380e589261781898b1a54c2889f3360db09c61b9155607d7b4d11fcd85bd9d
    • 6322cacf839b9c863f09c8ad9fd0e091501c9ba354730ab4809bb4c076610006
  • RDAT C2 Domains
    • rdmsi[.]com
    • rsshay[.]com
    • sharjatv[.]com
    • wwmal[.]com
    • allsecpackupdater[.]com
    • tacsent[.]com
    • acrlee[.]com
    • kopilkaorukov[.]com
  • Related Infrastructure
    • digi.shanx[.]icu
    • tprs-servers[.]eu
    • oudax[.]com
    • kizlarsoroyur[.]com
    • intelligent-finance[.]site
Share this: