OilRig: Iran’s Cyber Hackers

OilRig is Iran’s State-sponsored hacking unit established in 2015.  Since inception, OilRig’s capabilities have grown to the level of becoming the subject of articles on Palo Alto’s security blog.  Having started out with general Phishing attacks, they’ve matriculated into a more sophisticated distributor of targeted malware using compromised servers at IT companies throughout the Middle East.

What I find the most interesting about OilRig is they have developed skillsets that allow them to attack Israeli IT vendors and government agencies in a Nation-State that isn’t a financial powerhouse.  In essence, they’re scrappy cyber street fighters who continue to evolve into a capable unit with cyber-reach in the US East.

Their current Modus Operandi is to compromise the servers of IT vendors and send targeted email Phishing attacks to companies who use those vendors which carry an executable.   The latest attacks contained the OopsIE Trojan attached to emails that originated from the IT company servers.  What should be of particular interest is that one of their recent attacks was against a financial institution in Lebanon and that OilRig has already attacked a Vermont company to steal that companies SSL certificate codes to Phish targets.

According to Secure Reading this is how the attack works: “The macro creates a scheduled task which runs after waiting one minute to decode base64 encoded data using Certutil application.  It also creates a second scheduled task which waits for two minutes and runs a VBScript to execute the OopsIE trojan and clean up the installation.  The OopsIE Trojan is packed with SmartAssembly and obfuscated with ConfuserEx v1.0.0. It creates a VBScript file to run persistently on the system. The malware also creates a scheduled task to run itself every three minutes.  It uses HTTP to communicate with its command and control server using InternetExplorer application object.  The Trojan will construct specific URLs to communicate with the C2 server and parses the C2 server’s response looking for content within the tags <pre> and </pre>. The initial HTTP request acts as a beacon.”

We’ll continue to hear more about OilRig in the future, especially as behind-the-scene political shenanigans among Nation-states create new alliances against the United States.

Sources:

http://carnegieendowment.org/2018/01/04/iran-s-cyber-threat-espionage-sabotage-and-revenge-pub-75134

https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#31ec18a1468a

http://www.clearskysec.com/oilrig/

https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/

https://securereading.com/oilrig-apt-group-spotted-using-a-new-trojan-called-oopsie-against-middle-east-organizations/

Leave a Reply

Your email address will not be published. Required fields are marked *