OilRig

Overview

OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.

Targets

Chemical · Civil society · Defense · Education · Energy · Engineering · Finance · Government · Other · Private sector · Technology · Telecommunications

Regions

Canada · China · France · Germany · India · Iraq · Israel · Kuwait · Lebanon · Mexico · Middle East · Pakistan · Qatar · Saudi Arabia · South Korea · Turkey · United Kingdom · United States

Capabilities

• Supply-chain compromise — ATT&CK T1195
• Destructive / data-wiping operations — software: ZeroCleare
• Exploitation of public-facing / client applications — ATT&CK T1203
• Custom malware/implant development — ATT&CK: 18 attributed custom malware families
• Documented tooling: Watering holes, 64-bit malware, covert C2 via IPv6 DNS, ISMDOOR — MISP galaxy (meta.capabilities)

TTPs — 76 techniques across 13 tactics

Tools & malware (30)

ISMInjector · ODAgent · RDAT · Systeminfo · QUADAGENT · OopsIE · ngrok · Tasklist · Net · certutil · ZeroCleare · Reg · POWRUNER · netstat · Solar · ipconfig · LaZagne · BONDUPDATER · SideTwist · Helminth · Mango · OilBooster · SampleCheck5000 · PsExec · SEASHARPEE · Mimikatz · PowerExchange · OilCheck · RGDoor · ftp

Reporting (3)

• Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East — Fahmy, M. et al
• Crambus: New Campaign Targets Middle Eastern Government — Symantec Threat Hunter Team
• How Microsoft names threat actors — Microsoft