ESET researchers have recently analyzed two cyberespionage campaigns carried out by the OilRig APT group. The first campaign, named Outer Space, took place in 2021, while the second campaign, named Juicy Mix, occurred in 2022. As with previous campaigns, the group exclusively targeted Israeli organizations. Both campaigns followed a similar pattern: OilRig compromised legitimate websites to serve as command-and-control (C&C) servers and used VBS droppers to deliver backdoors to the victims. Additionally, a variety of post-compromise tools were used to exfiltrate data from the target systems.
In the Outer Space campaign, OilRig used a previously undocumented C#/.NET backdoor called Solar, along with a new downloader named SampleCheck5000 (SC5k). SC5k utilized the Microsoft Office Exchange Web Services API for C&C communication. For the Juicy Mix campaign, the group enhanced Solar and developed a new backdoor called Mango, which had additional capabilities and obfuscation methods. OilRig also notified the Israeli CERT about the compromised websites in both campaigns.
The OilRig APT group, also known as APT34, Lyceum, or Siamesekitten, has been active since at least 2014 and is believed to be based in Iran. The group primarily focuses on the Middle East and targets various industries, including government, chemical, energy, finance, and telecommunications. In previous campaigns, such as DNSpionage and HardPass, OilRig targeted victims in Lebanon, the United Arab Emirates, and Middle Eastern victims in the energy and government sectors.
The connection between the Outer Space campaign and OilRig was made based on the use of the same custom Chrome data dumper that was observed in a previous campaign called Out to Sea. The same sample of the data dumper was deployed by the Solar backdoor in the Outer Space campaign. Additionally, similarities were found between Solar and other OilRig backdoors in terms of communication with the C&C server. These findings solidify the attribution of the Outer Space campaign to OilRig. As for the Juicy Mix campaign, its ties to OilRig were established through code similarities between Mango and Solar, as well as the use of the same string obfuscation technique in the VBS dropper.
In the Outer Space campaign, OilRig compromised an Israeli human resources site and used it as a C&C server for the Solar backdoor. Solar is a simple backdoor with basic functionality such as reading and writing from disk and gathering information. To download additional tools for execution, OilRig deployed the SC5k downloader, which used the Microsoft Office Exchange Web Services API. OilRig also utilized a Chrome-data dumper called MKG to exfiltrate browser data from the victim’s system.
In the Juicy Mix campaign, OilRig compromised a legitimate Israeli job portal website for C&C communication and targeted a healthcare organization in Israel. The Mango backdoor, an updated version of Solar, was used in this campaign. Mango had additional capabilities such as exfiltration functionalities, native API usage, and detection evasion code. OilRig also employed two browser-data dumpers to steal cookies, browsing history, and credentials from Chrome and Edge browsers, as well as a Windows Credential Manager stealer.
Both campaigns involved the use of VBS droppers, likely spread through spear-phishing emails, to deliver the backdoors. The VBS dropper for the Mango backdoor utilized string obfuscation and set up persistence and communication with the C&C server. The Solar backdoor, on the other hand, created tasks that ran in memory and performed various functions using an astronomy naming scheme.
Overall, ESET’s analysis provides valuable insights into the tactics and tools used by the OilRig APT group in their cyberespionage campaigns targeting Israeli organizations. By understanding their techniques, organizations can better protect themselves from similar attacks.