binarypublish
- The Iranian state-sponsored threat actor OilRig deployed three new downloader malware in 2022; these have been named ODAgent, OilCheck, and OilBooster.
- These downloaders were used to maintain persistent access to victim organizations in Israel, including a healthcare organization and a manufacturing company.
The cyber espionage group OilRig, also known as APT34, Crambus, Cobalt Gypsy, Hazel Sandstorm, and Helix Kitten, has been active since at least 2014 and has targeted a wide range of entities in the Middle East. In 2022, the hacking crew launched several attacks, leveraging novel malware like MrPerfectionManager, PowerExchange, Solar, Mango, and Menorah.
ODAgent, first detected in February 2022, is a C#/.NET downloader that uses the Microsoft OneDrive API for command-and-control (C2) communications. This allows the threat actor to download and execute payloads and exfiltrate staged files. On the other hand, SampleCheck5000 was designed to interact with a shared Microsoft Exchange mail account to download and execute additional OilRig tools using the Office Exchange Web Services (EWS) API.
OilBooster uses the Microsoft OneDrive API for C2, similarly to ODAgent, while OilCheck adopts the same technique as SampleCheck5000 to extract commands from draft messages. However, instead of using the EWS API, it leverages the Microsoft Graph API for network communications. OilBooster also uses the Microsoft Graph API to connect to a Microsoft Office 365 account, like OilCheck, but the API is used to interact with an actor-controlled OneDrive account to fetch commands and payloads from victim-specific folders instead of an Outlook account.
In all cases, the downloaders use a shared (email or cloud storage) OilRig-operated account to exchange messages with the OilRig operators. The same account is typically shared by multiple victims. The downloaders access this account to download commands and additional payloads staged by the operators, and to upload command output and staged files.
