ESET Researchers Uncover OilRig Downloaders Utilizing Cloud Services for C&C Communication
ESET researchers have found that the OilRig cyberespionage group has been utilizing a series of downloaders in their campaigns throughout 2022, specifically targeting organizations of special interest located in Israel. These lightweight downloaders, known as SampleCheck5000 (SC5k v1-v3), OilCheck, ODAgent, and OilBooster, have used legitimate cloud service APIs for command and control (C&C) communication and data exfiltration.
The downloaders access a shared OilRig-operated account to exchange messages with the operators, which is typically used by multiple victims. They use this account to download commands and additional payloads staged by the operators, as well as to upload command output and staged files. ESET researchers discovered the earliest of the series, SC5k (v1) downloader, in November 2021 during OilRig’s Outer Space campaign, and have since observed several new variations introduced throughout 2022, each with its own unique features.
One of the newest downloaders, ODAgent, was detected in February 2022 in the network of a manufacturing company in Israel. ODAgent is a C#/.NET downloader that utilizes the Microsoft OneDrive API for C&C communications and is capable of downloading and executing payloads, as well as exfiltrating staged files. Similarly, SC5k and OilCheck, two other downloaders, were also detected in the same organization, highlighting OilRig’s persistence in targeting the same organizations repeatedly.
The cyberespionage group has exclusively used these downloaders against a limited number of Israeli targets, all of which were persistently targeted months earlier by other OilRig tools. In addition to the manufacturing company, a local governmental organization and a healthcare organization in Israel were also affected by these downloaders in 2022.
Furthermore, OilRig has been known for its continued targeting of Middle Eastern governments and various business verticals since 2014. The group has carried out several high-profile campaigns, including the DNSpionage campaign in 2018 and 2019, the HardPass campaign in 2019 and 2020, and the recent Solar and Mango backdoors in 2022 and 2023 targeting organizations in the Middle East.
ESET researchers have attributed SC5k (v1-v3), ODAgent, OilCheck, and OilBooster downloaders to OilRig with a high level of confidence based on their targets and code similarities, reinforcing the group’s persistent focus on Israeli organizations.
Moving forward, ESET will continue to monitor the activities of the OilRig cyberespionage group and provide further insights into their tactics, techniques, and procedures to help organizations defend against their malicious activities.
In conclusion, the discovery of OilRig’s continued use of downloaders utilizing legitimate cloud service APIs for C&C communication and data exfiltration highlights the evolving threat landscape and the need for organizations to remain vigilant against sophisticated cyberespionage groups targeting their networks. ESET’s ongoing research serves as a valuable resource for organizations looking to enhance their cybersecurity defenses and protect their sensitive data from malicious actors.