1. Home
  2. Groups
  3. OilRig

OilRig

OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]

ID: G0049
Associated Groups: COBALT GYPSY, IRN2, APT34, Helix Kitten, Evasive Serpens, Hazel Sandstorm, EUROPIUM, ITG13, Earth Simnavaz, Crambus, TA452
Contributors: Robert Falcone; Bryan Lee; Dragos Threat Intelligence; Jaesang Oh, KC7 Foundation
Version: 5.0
Created: 14 December 2017
Last Modified: 16 January 2025

Associated Group Descriptions

Name Description
COBALT GYPSY

[8]
IRN2

[9]
APT34

This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.[7][1][10]
Helix Kitten

[7][9]
Evasive Serpens

[6]
Hazel Sandstorm

[11]
EUROPIUM

[11]
ITG13

[12]
Earth Simnavaz

[13]
Crambus

[14]
TA452

[15]
Enterprise Layer
download view
ICS Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

OilRig has used WMI for execution.[16]
Enterprise T1555 从密码存储中获取凭证

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[6][16][17][18]
.003 Credentials from Web Browsers

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[6][16][17][18] OilRig has also used tool named PICKPOCKET to dump passwords from web browsers.[18]
.004 Windows Credential Manager

OilRig has used credential dumping tool named VALUEVAULT to steal credentials from the Windows Credential Manager.[18]
Enterprise T1036 伪装

OilRig has used .doc file extensions to mask malicious executables.[10]
Enterprise T1137 .004 办公应用启动: Outlook Home Page

OilRig has abused the Outlook Home Page feature for persistence. OilRig has also used CVE-2017-11774 to roll back the initial patch designed to protect against Home Page abuse.[19]
Enterprise T1573 .002 加密通道: Asymmetric Cryptography

OilRig used the Plink utility and other tools to create tunnels to C2 servers.[16]
Enterprise T1572 协议隧道

OilRig has used the Plink utility and other tools to create tunnels to C2 servers.[6][16][18]
Enterprise T1140 反混淆/解码文件或信息

A OilRig macro has run a PowerShell command to decode file contents. OilRig has also used certutil to decode base64-encoded files on victims.[1][20][21][22]
Enterprise T1059 命令与脚本解释器

OilRig has used various types of scripting for execution.[1][23][21][7][24]
.001 PowerShell

OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents.[1][20][9]
.003 Windows Command Shell

OilRig has used macros to deliver malware such as QUADAGENT and OopsIE.[1][23][21][7][24] OilRig has used batch scripts.[1][23][21][7][24]
.005 Visual Basic

OilRig has used VBScript macros for execution on compromised hosts.[10]
Enterprise T1008 回退信道

OilRig malware ISMAgent falls back to its DNS tunneling mechanism if it is unable to reach the C2 server over HTTP.[23]
Enterprise T1120 外围设备发现

OilRig has used tools to identify if a mouse is connected to a targeted system.[10]
Enterprise T1133 外部远程服务

OilRig uses remote services such as VPN, Citrix, or OWA to persist in an environment.[16]
Enterprise T1201 密码策略发现

OilRig has used net.exe in a script with net accounts /domain to find the password policy of a domain.[25]
Enterprise T1113 屏幕捕获

OilRig has a tool called CANDYKING to capture a screenshot of user's desktop.[16]
Enterprise T1071 .001 应用层协议: Web Protocols

OilRig has used HTTP for C2.[6][16][18]
.004 应用层协议: DNS

OilRig has used DNS for C2 including the publicly available requestbin.net tunneling service.[6][16][18][10]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

OilRig has used credential dumping tools such as Mimikatz to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[6][16][17][18]
.004 操作系统凭证转储: LSA Secrets

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[6][16][17][18]
.005 操作系统凭证转储: Cached Domain Credentials

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[6][16][17][18]
Enterprise T1110 暴力破解

OilRig has used brute force techniques to obtain credentials.[16][12]
Enterprise T1048 .003 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol

OilRig has exfiltrated data over FTP separately from its primary C2 channel over DNS.[5]
Enterprise T1078 有效账户

OilRig has used compromised credentials to access other systems on a victim network.[6][16][22][12]
Enterprise T1505 .003 服务器软件组件: Web Shell

OilRig has used web shells, often to maintain access to a victim network.[6][16][22]
Enterprise T1552 .001 未加密凭证: Credentials In Files

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[6][16][17][18]
Enterprise T1069 .001 权限组发现: Local Groups

OilRig has used net localgroup administrators to find local administrators on compromised systems.[4]
.002 权限组发现: Domain Groups

OilRig has used net group /domain, net group "domain admins" /domain, and net group "Exchange Trusted Subsystem" /domain to find domain group permission settings.[4]
Enterprise T1012 查询注册表

OilRig has used reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" on a victim to query the Registry.[4]
Enterprise T1027 .005 混淆文件或信息: Indicator Removal from Tools

OilRig has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion.[2][24]
.013 混淆文件或信息: Encrypted/Encoded File

OilRig has encrypted and encoded data in its malware, including by using base64.[1][7][6][9][24]
Enterprise T1204 .001 用户执行: Malicious Link

OilRig has delivered malicious links to achieve execution on the target system.[21][7][9]
.002 用户执行: Malicious File

OilRig has delivered macro-enabled documents that required targets to click the "enable content" button to execute the payload on the system.[21][7][9][10]
Enterprise T1070 .004 移除指标: File Deletion

OilRig has deleted files associated with their payload after execution.[1][21]
Enterprise T1218 .001 系统二进制代理执行: Compiled HTML File

OilRig has used a CHM payload to load and execute another malicious file once delivered to a victim.[4]
Enterprise T1082 系统信息发现

OilRig has run hostname and systeminfo on a victim.[4][5][18][10]

Enterprise T1033 系统所有者/用户发现

OilRig has run whoami on a victim.[4][5][10]
Enterprise T1007 系统服务发现

OilRig has used sc query on a victim to gather information about services.[4]
Enterprise T1049 系统网络连接发现

OilRig has used netstat -an on a victim to get a listing of network connections.[4]
Enterprise T1016 系统网络配置发现

OilRig has run ipconfig /all on a victim.[4][5]
Enterprise T1046 网络服务发现

OilRig has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning.[16]
Enterprise T1119 自动化收集

OilRig has used automated collection.[6]
Enterprise T1497 .001 虚拟化/沙盒规避: System Checks

OilRig has used macros to verify if a mouse is connected to a compromised machine.[10]
Enterprise T1087 .001 账号发现: Local Account

OilRig has run net user, net user /domain, net group "domain admins" /domain, and net group "Exchange Trusted Subsystem" /domain to get account listings on a victim.[4]
.002 账号发现: Domain Account

OilRig has run net user, net user /domain, net group "domain admins" /domain, and net group "Exchange Trusted Subsystem" /domain to get account listings on a victim.[4]
Enterprise T1105 输入工具传输

OilRig can download remote files onto victims.[1]
Enterprise T1056 .001 输入捕获: Keylogging

OilRig has used keylogging tools called KEYPUNCH and LONGWATCH.[16][18]

Enterprise T1057 进程发现

OilRig has run tasklist on a victim's machine.[4]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

OilRig has used Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment.[6][16][22]
.004 远程服务: SSH

OilRig has used Putty to access compromised systems.[6]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

OilRig has sent spearphising emails with malicious attachments to potential victims using compromised and/or spoofed email accounts.[21][7][9]
.002 钓鱼: Spearphishing Link

OilRig has sent spearphising emails with malicious links to potential victims.[21]
.003 钓鱼: Spearphishing via Service

OilRig has used LinkedIn to send spearphishing links.[18]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

OilRig has created scheduled tasks that run a VBScript to execute a payload on victim machines.[21][7][18][10]
ICS T0817 Drive-by Compromise

OilRig has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks. [26]
ICS T0853 Scripting

OilRig has embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script.[27]
ICS T0865 Spearphishing Attachment

OilRig used spearphishing emails with malicious Microsoft Excel spreadsheet attachments. [27]
ICS T0869 Standard Application Layer Protocol

OilRig communicated with its command and control using HTTP requests. [27]
ICS T0859 Valid Accounts

OilRig utilized stolen credentials to gain access to victim machines.[28]

Software

ID Name References Techniques
S0360 BONDUPDATER [1] [29] 动态解析: Domain Generation Algorithms, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 应用层协议: DNS, 输入工具传输, 隐藏伪装: Hidden Window, 预定任务/作业: Scheduled Task
S0160 certutil [1] 反混淆/解码文件或信息, 归档收集数据: Archive via Utility, 输入工具传输, 颠覆信任控制: Install Root Certificate
S0095 ftp [5] 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol, 横向工具传输, 输入工具传输
S0170 Helminth [4][16][9] 剪贴板数据, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Shortcut Modification, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: Windows Command Shell, 应用层协议: DNS, 应用层协议: Web Protocols, 数据传输大小限制, 数据分段: Local Data Staging, 数据编码: Standard Encoding, 权限组发现: Local Groups, 权限组发现: Domain Groups, 混淆文件或信息: Encrypted/Encoded File, 自动化收集, 输入工具传输, 输入捕获: Keylogging, 进程发现, 预定任务/作业: Scheduled Task, 颠覆信任控制: Code Signing
S0100 ipconfig [4] 系统网络配置发现
S0189 ISMInjector [20] 反混淆/解码文件或信息, 混淆文件或信息, 进程注入: Process Hollowing, 预定任务/作业: Scheduled Task
S0349 LaZagne [17] 从密码存储中获取凭证: Windows Credential Manager, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证, 从密码存储中获取凭证: Keychain, 操作系统凭证转储: LSA Secrets, 操作系统凭证转储: /etc/passwd and /etc/shadow, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Cached Domain Credentials, 操作系统凭证转储: Proc Filesystem, 未加密凭证: Credentials In Files
S0002 Mimikatz [6][16][17] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0039 Net [4][1] 创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0104 netstat [4][1] 系统网络连接发现
S0264 OopsIE [21] Windows管理规范, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: Visual Basic, 应用层协议: Web Protocols, 归档收集数据: Archive via Custom Method, 归档收集数据: Archive via Utility, 数据传输大小限制, 数据分段: Local Data Staging, 数据编码: Standard Encoding, 混淆文件或信息: Software Packing, 混淆文件或信息, 移除指标: File Deletion, 系统信息发现, 系统时间发现, 虚拟化/沙盒规避: System Checks, 输入工具传输, 通过C2信道渗出, 预定任务/作业: Scheduled Task
S0184 POWRUNER [1] Windows管理规范, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 屏幕捕获, 应用层协议: Web Protocols, 应用层协议: DNS, 数据编码: Standard Encoding, 文件和目录发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 查询注册表, 系统信息发现, 系统所有者/用户发现, 系统网络连接发现, 系统网络配置发现, 账号发现: Domain Account, 软件发现: Security Software Discovery, 输入工具传输, 进程发现, 预定任务/作业: Scheduled Task
S0029 PsExec [16] 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares
S0269 QUADAGENT [7] 伪装: Match Legitimate Name or Location, 修改注册表, 反混淆/解码文件或信息, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 回退信道, 应用层协议: DNS, 应用层协议: Web Protocols, 数据编码: Standard Encoding, 查询注册表, 混淆文件或信息: Command Obfuscation, 混淆文件或信息: Fileless Storage, 移除指标: File Deletion, 系统所有者/用户发现, 系统网络配置发现, 预定任务/作业: Scheduled Task
S0495 RDAT [30] 伪装: Masquerade Task or Service, 伪装: Match Legitimate Name or Location, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 回退信道, 屏幕捕获, 应用层协议: Web Protocols, 应用层协议: DNS, 应用层协议: Mail Protocols, 数据传输大小限制, 数据混淆: Steganography, 数据混淆, 数据编码: Standard Encoding, 数据编码: Non-Standard Encoding, 混淆文件或信息: Steganography, 移除指标: File Deletion, 输入工具传输, 通过C2信道渗出
S0075 Reg [4][1] 修改注册表, 未加密凭证: Credentials in Registry, 查询注册表
S0258 RGDoor [31] 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 归档收集数据: Archive via Custom Method, 服务器软件组件: IIS Components, 系统所有者/用户发现, 输入工具传输
S0185 SEASHARPEE [16] 命令与脚本解释器: Windows Command Shell, 服务器软件组件: Web Shell, 移除指标: Timestomp, 输入工具传输
S0610 SideTwist [10] 从本地系统获取数据, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 回退信道, 应用层协议: Web Protocols, 数据混淆, 数据编码: Standard Encoding, 文件和目录发现, 本机API, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 输入工具传输, 通过C2信道渗出
S0096 Systeminfo [1] 系统信息发现
S0057 Tasklist [4][1] 系统服务发现, 软件发现: Security Software Discovery, 进程发现
S1151 ZeroCleare OilRig collaborated on the destructive portion of the ZeroCleare attack.[12] 命令与脚本解释器, 命令与脚本解释器: PowerShell, 本机API, 权限提升漏洞利用, 磁盘擦除: Disk Structure Wipe, 移除指标: File Deletion, 系统信息发现, 颠覆信任控制: Code Signing

References

  1. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  2. Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.
  3. ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.
  4. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  5. Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.
  6. Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.
  7. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  8. Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021.
  9. Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.
  10. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
  11. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  12. Kessem, L. (2019, December 4). New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East. Retrieved September 4, 2024.
  13. Fahmy, M. et al. (2024, October 11). Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East. Retrieved November 27, 2024.
  14. Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024.
  15. Proofpoint. (2020, January 10). Iranian State-Sponsored and Aligned Attacks: What You Need to Know and Steps to Protect Yourself. Retrieved January 16, 2025.
  16. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  1. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
  2. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
  3. McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020.
  4. Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018.
  5. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  6. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  7. Falcone, R. and Lee, B. (2017, July 27). OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group. Retrieved January 8, 2018.
  8. Falcone, R., Wilhoit, K.. (2018, November 16). Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery. Retrieved April 23, 2019.
  9. Singh, S., Yin, H. (2016, May 22). https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html. Retrieved April 5, 2018.
  10. Eduard Kovacs 2018, May 21 Group linked to Shamoon attacks targeting ICS networks in Middle East and UK Retrieved September 12, 2024.
  11. Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19
  12. Dragos Chrysene Retrieved. 2019/10/27
  13. Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.
  14. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  15. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.