OilRig, an Iranian-linked cyber espionage group, has been actively carrying out sophisticated spear-phishing campaigns and advanced infiltration techniques since 2015. Known for its diverse cyber attacks spanning intelligence gathering, surveillance, and high-profile cyberattacks, OilRig has recently ramped up its efforts against Middle Eastern entities and organizations with Iranian interests, as identified by cybersecurity researchers at Cyble.
The group constantly adapts its tools to avoid detection and has broadened its operations to include disruptive attacks such as ransomware and data-wiping. With a focus on sectors like Aerospace & Defense, BFSI, Chemicals, Education, Energy & Utilities, Government & LEA, Hospitality, IT & ITES, Technology, and Telecommunication, OilRig employs customizable attack vectors that often begin with spear-phishing or exploiting vulnerabilities in public-facing applications to deliver malware for data exfiltration.
OilRig’s suspected ties with Greenbug and its exploitation of unpatched SharePoint servers have added to its notoriety in the cyber espionage landscape. Noteworthy tactics used by the group include phishing campaigns via LinkedIn, masquerading as Cambridge University members, and leveraging known vulnerabilities like CVE-2019-0604 and CVE-2017-11882.
The group’s persistence is evident through its use of malicious loaders, VBScript, scheduled tasks, and various RATs such as Alma Communicator and BONDUPDATER. Additionally, OilRig employs living-off-the-land tactics to attack public-facing applications by referencing IPs and domains from previous attacks, showcasing the group’s evolution as a persistent threat across multiple sectors.
A comprehensive list of tools utilized by OilRig includes Alma Communicator, BONDUPDATER, Clayslide, DistTrack, DNSExfiltrator, DNSpionage, Dustman, Fox Panel, Helminth, ISMAgent, ISMDoor, ISMInjector, Karkoff, Mimikatz, LaZagne, LIONTAIL, LONGWATCH, SideTwist, Neuron, Nautilus, PICKPOCKET, Plink, PsList, RDAT, Saitama, SpyNote RAT, and TONEDEAF.
OilRig’s expertise in cyber espionage is further highlighted by their adept C&C communication methods, which involve targeted exchange servers, HTPSnoop implants, HTTP and DNS queries, and protocol tunneling to facilitate stealthy network communications.
To counter the threats posed by groups like OilRig, it is crucial to implement regular software patching, enhance email security, establish robust network monitoring, deploy advanced endpoint protection, enforce strict access control measures, develop a comprehensive incident response plan, leverage threat intelligence, and provide ongoing employee cybersecurity training.
In conclusion, the evolving tactics and persistent activities of OilRig underscore the need for enhanced cybersecurity measures and vigilance across various sectors to mitigate the risks posed by advanced cyber espionage groups.