OilRig APT Uses Downloader Malware for Cyberespionage

Written by Gabby Lee

December 15, 2023

OilRig APT Uses Downloader Malware for Cyberespionage

Iranian state-sponsored threat actor OilRig, also known as APT34, continued its cyber espionage endeavors throughout 2022, deploying three distinctive downloader malware—ODAgent, OilCheck, and OilBooster. Slovak cybersecurity company ESET unveiled these findings, shedding light on the group’s tactics, techniques, and procedures.

OilRig APT Uses Downloader Malware for Cyberespionage

Using Legitimate Cloud Service for C2 Communications and Data Exfiltration

OilRig APT Uses Downloader Malware for Cyberespionage

These newly identified downloaders exhibited a unique strategy by utilizing legitimate cloud service APIs for command-and-control communication and data exfiltration. Notably, Microsoft Graph OneDrive and Outlook APIs, alongside the Microsoft Office Exchange Web Services (EWS) API, were leveraged.

This approach allows OilRig to camouflage its activities within genuine network traffic, evading detection and maintaining the secrecy of its attack infrastructure.

OilRig’s targets in this campaign encompassed various sectors, including healthcare, manufacturing, and local government organizations. Notably, all victims had previously encountered the threat actor. The exact initial access vector remains unclear.

OilRig APT Uses Downloader Malware for Cyberespionage

The Downloader Profiles

ODAgent: A C#/.NET downloader discovered in February 2022. It employs the Microsoft OneDrive API for command-and-control communication, allowing the threat actor to download and execute payloads while exfiltrating staged files.

SampleCheck5000: An updated version of a known OilRig downloader. It interacts with a shared Microsoft Exchange mail account, using the Office Exchange Web Services (EWS) API to download and execute additional OilRig tools.

OilBooster: Similar to ODAgent, it uses the Microsoft OneDrive API for command-and-control. OilBooster. However, it differs by connecting to a Microsoft Office 365 account via the Microsoft Graph API to fetch commands and payloads from victim-specific folders.

Related Articles

Daixin Ransomware Claims Omni Hotels Cyberattack

Daixin Ransomware Claims Omni Hotels Cyberattack

The Daixin Team ransomware gang has taken responsibility for a recent cyberattack on Omni Hotels & Resorts and is currently issuing threats to publish sensitive customer information unless a ransom is paid. This development comes after the hotel chain experienced...

Stay Up to Date With The Latest News & Updates

Join Our Newsletter

 

Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!