ESET Research: Iran-aligned OilRig group deployed new malware to its Israeli victims, collecting credentials
Created: 2023-09-22 06:47:18
- ESET Research analyzed two OilRig campaigns that occurred throughout 2021 (Outer Space) and 2022 (Juicy Mix) by this Iran-aligned APT group.
- The operators exclusively targeted Israeli organizations and compromised legitimate Israeli websites for use in OilRig’s Command & Control (C&C) communications.
- They used a new, previously undocumented backdoor in each campaign: Solar in Outer Space, then its successor Mango in Juicy Mix.
- A variety of post-compromise tools were deployed in both campaigns. They were used to collect sensitive information from major browsers and the Windows Credential Manager.
BRATISLAVA, MONTREAL — September 21, 2023 — ESET researchers have analyzed two campaigns by the Iran-aligned OilRig APT group: Outer Space from 2021, and Juicy Mix from 2022. Both of these cyberespionage campaigns targeted Israeli organizations exclusively, which is in line with the group’s focus on the Middle East, and both used the same playbook: OilRig first compromised a legitimate website to use as a C&C server and then delivered previously undocumented backdoors to its victims while also deploying a variety of post-compromise tools mostly used for data exfiltration from the target systems. Specifically, they were used to collects credentials from Windows Credential Manager and from major browsers, credentials, cookies and browsing history.
In their Outer Space campaign, OilRig used a simple, previously undocumented C#/.NET backdoor ESET Research has named Solar, along with a new downloader, SampleCheck5000 (or SC5k), that uses the Microsoft Office Exchange Web Services API for C&C communication. For the Juicy Mix campaign, the threat actors improved on Solar to create the Mango backdoor, which possesses additional capabilities and obfuscation methods. Both backdoors were deployed by VBS droppers, presumably spread via spearphishing emails. In addition to detecting the malicious toolset, ESET has also notified the Israeli CERT about the compromised websites.
ESET named the Solar backdoor based on the use of an astronomy-based naming scheme in its function names and tasks; we named Mango, another new backdoor, based on its internal assembly name and its filename.
Solar backdoor possesses basic functionalities and can be used, among other things, to download and execute files, and automatically exfiltrate staged files. An Israeli human resources company’s web server, which OilRig compromised at some point prior to deploying Solar, was used as the C&C server.
For its Juicy Mix campaign, OilRig switched from the Solar backdoor to Mango. It has a similar workflow to Solar and overlapping capabilities, with some notable technical changes. ESET identified an unused detection evasion technique within Mango. “This technique’s goal is to block endpoint security solutions from loading their user-mode code hooks via a DLL in this process. While the parameter was not used in the sample we analyzed, it could be activated in future versions,” says ESET researcher Zuzana Hromcová, who co-analyzed the two campaigns of OilRig.
OilRig, also known as APT34, Lyceum, or Siamesekitten, is a cyberespionage group that has been active since at least 2014 and is commonly believed to be based in Iran. The group targets Middle Eastern governments and a variety of verticals, including chemical, energy, financial and telecommunications.
For more technical information about OilRig and its Outer Space and Juicy Mix campaigns, check out the blogpost “OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes” on WeLiveSecurity. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.
About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.
Join ESET at Facebook