OilRig Group unveils 3 fresh malware downloaders, courtesy of Iran.

December 14, 2023
1 min read
  • The Iranian state-sponsored threat actor OilRig deployed three new downloader malware in 2022; these have been named ODAgent, OilCheck, and OilBooster.
  • These downloaders were used to maintain persistent access to victim organizations in Israel, including a healthcare organization and a manufacturing company.

The cyber espionage group OilRig, also known as APT34, Crambus, Cobalt Gypsy, Hazel Sandstorm, and Helix Kitten, has been active since at least 2014 and has targeted a wide range of entities in the Middle East. In 2022, the hacking crew launched several attacks, leveraging novel malware like MrPerfectionManager, PowerExchange, Solar, Mango, and Menorah.

ODAgent, first detected in February 2022, is a C#/.NET downloader that uses the Microsoft OneDrive API for command-and-control (C2) communications. This allows the threat actor to download and execute payloads and exfiltrate staged files. On the other hand, SampleCheck5000 was designed to interact with a shared Microsoft Exchange mail account to download and execute additional OilRig tools using the Office Exchange Web Services (EWS) API.

OilBooster uses the Microsoft OneDrive API for C2, similarly to ODAgent, while OilCheck adopts the same technique as SampleCheck5000 to extract commands from draft messages. However, instead of using the EWS API, it leverages the Microsoft Graph API for network communications. OilBooster also uses the Microsoft Graph API to connect to a Microsoft Office 365 account, like OilCheck, but the API is used to interact with an actor-controlled OneDrive account to fetch commands and payloads from victim-specific folders instead of an Outlook account.

In all cases, the downloaders use a shared (email or cloud storage) OilRig-operated account to exchange messages with the OilRig operators. The same account is typically shared by multiple victims. The downloaders access this account to download commands and additional payloads staged by the operators, and to upload command output and staged files.

Latest from Blog

Juggling AI cybersecurity highs and lows

TLDR: At the 2024 MIT Sloan CIO Symposium, industry leaders discussed the challenge of balancing AI’s benefits with its security risks, particularly focusing on generative AI. While generative AI can bring benefits

Get your free Cyber Security eBook now Valued at $169

“`html TLDR: Key Points: Claim your complimentary eBook worth $169 for free before May 22. The eBook covers practical applications of cyber security and network security for professionals, engineers, scientists, and students.