The Iranian cyberespionage group, OilRig (APT34), has been actively operating since 2014, targeting various Middle Eastern governments and industries. These industries include chemical, energy, finance, and telecom. In their recent campaigns, OilRig launched DNSpionage in 2018-2019 against Lebanon and the UAE, followed by the 2019-2020 HardPass campaign, which used LinkedIn to target the energy and government sectors.
According to cybersecurity researchers at ESET, two new campaigns by OilRig have been identified and analyzed. These campaigns are named Outer Space (2021) and Juicy Mix (2022). Unlike their previous campaigns, these two campaigns specifically targeted Israeli organizations, showing a shift in the group’s focus to the Middle East. The attacks were carried out through infiltration via legitimate websites, and the group employed VBS droppers to deploy C#/.NET backdoors and post-compromise data tools.
The Outer Space campaign utilized an Israeli HR site as a command-and-control (C&C) server for the Solar backdoor. The Solar backdoor led to the SC5k downloader, while MKG was used for browser data exfiltration. On the other hand, the Juicy Mix campaign, launched in 2022, used upgraded tools to compromise a job portal for C&C, followed by an attack on an Israeli healthcare organization using the Mango backdoor, browser-data dumpers, and a Credential Manager stealer.
Both campaigns employed VBS droppers, most likely delivered through spear-phishing emails, to gain access to the targeted systems. These droppers installed the Mango or Solar backdoors and connected to the C&C server. The embedded backdoor utilized base64 encoding and simple string deobfuscation techniques to conceal its presence. Additionally, the droppers scheduled the backdoors to run at regular intervals and sent the compromised computer’s name to the C&C server via a base64-encoded POST request.
In the Outer Space campaign, OilRig used the Solar backdoor, which is a versatile tool capable of downloading and executing files, as well as autonomously exfiltrating staged data. However, in the Juicy Mix campaign, Solar was replaced with the Mango backdoor. Mango shared similar functionalities with Solar but featured some significant distinctions. One such difference was the replacement of Solar’s Venus task with a new exfiltration command in Mango.
Along with the backdoors, OilRig used post-compromise tools to further exploit the compromised systems. These tools include the SC5k downloader, which is used for downloading additional payloads, browser-data dumpers for collecting sensitive information from web browsers, and a Windows Credential Manager stealer for stealing user credentials.
OilRig’s evolution from Solar to Mango signifies their advancement in post-compromise techniques. While they still rely on conventional methods for user data collection, they also employ specialized technologies to enhance their capabilities.
In conclusion, OilRig’s recent campaigns targeting Israeli organizations demonstrate their continued cyberespionage activities in the Middle East. Their utilization of VBS droppers, backdoors, and post-compromise tools highlights their sophistication and evolving techniques. It is crucial for organizations in the targeted industries to stay vigilant and implement robust cybersecurity measures to defend against such attacks.