OilRig is a well-known Iran-aligned cyberespionage group, allegedly under the MOIS (Ministry of Intelligence and Security), that has been targeting Middle Eastern governments and a variety of business verticals since at least 2014. In this presentation, Zuzana Hromcová discusses the group’s persistent attacks on Israeli healthcare and local governments, often with the same organizations targeted multiple times over the course of several years, suggesting that OilRig considers them to be of high espionage value.
Zuzana explores how an Israeli local government organization and a group of healthcare organizations recovered from the Out to Sea compromise in 2021 only to find themselves retargeted by several versions of OilRig’s SC5k downloader, followed by the new OilBooster and Mango backdoors throughout 2022.
In the process, she discloses the previously undocumented 2021 Outer Space and 2022 Juicy Mix campaigns, notable for their new C# backdoors, dubbed Solar and Mango, and a set of custom postcompromise tools used to collect credentials, cookies, and browsing history from major browsers and from the Windows Credential Manager. Although not sophisticated tools, they are tweaked frequently, and the talk inspects their added layers of obfuscation and detection evasion techniques.
This wide-ranging talk also discusses OilRig’s ongoing shift away from traditional C&C infrastructure towards Microsoft APIs and looks at the mechanism behind OilRig’s use of the OneDrive API (OilBooster) and Microsoft Office 365 API (SC5k downloader) for its C&C communications, and the difficulty this presents for tracking the threat actor.
Zuzana concludes with a breakdown of the group’s characteristic TTPs, noting how they remain unchanged despite the constant stream of updated and newly developed tools – including their frequent coding mistakes, noisy presence on compromised systems, and other characteristics that make it possible for researchers to keep a close eye on the group.
About the Author
Zuzana Hromcová is a malware researcher at ESET’s Montréal research team. Her professional journey has been shaped by both her studies – she holds a master’s degree in computer science – as well as her interest in solving logical puzzles and challenges. Three-times a Slovak sudoku champion, with numerous appearances at World Sudoku and World Puzzle Championships, she spent a decade sharpening her analytical skills for a job that was yet to come.
In 2016, she joined ESET and moved on from solving logical puzzles to dissecting malicious binaries and dismantling espionage campaigns. Zuzana focuses on targeted threats and is a frequent speaker at security conferences, having shared her research with the audience at RSAC, Black Hat, BlueHat IL, Virus Bulletin and other events.
About LABScon
This presentation was featured live at LABScon 2023, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.
Keep up with all the latest on LABScon 2024 here.