C0042 Outer Space

Outer Space was a campaign conducted by OilRig throughout 2021 that used the SampleCheck5000 downloader and Solar backdoor to target Israeli organizations.¹

Item	Value
ID	C0042
Associated Names
First Seen	January 2021
Last Seen	December 2021
Version	1.0
Created	21 November 2024
Last Modified	25 November 2024
Navigation Layer	View In ATT&CK® Navigator

Groups

ID	Name	References
G0049	OilRig	¹

Techniques Used

Domain	ID	Name	Use
enterprise	T1071	Application Layer Protocol	-
enterprise	T1071.001	Web Protocols	During Outer Space, OilRig used HTTP to communicate between installed backdoors and compromised servers including via the Microsoft Exchange Web Services API.¹
enterprise	T1217	Browser Information Discovery	During Outer Space, OilRig used a Chrome data dumper named MKG.¹
enterprise	T1059	Command and Scripting Interpreter	-
enterprise	T1059.005	Visual Basic	During Outer Space, OilRig used VBS droppers to deploy malware.¹
enterprise	T1584	Compromise Infrastructure	-
enterprise	T1584.004	Server	During Outer Space, OilRig compromised an Israeli human resources site to use as a C2 server.¹
enterprise	T1587	Develop Capabilities	-
enterprise	T1587.001	Malware	For Outer Space, OilRig created new implants including the Solar backdoor.¹
enterprise	T1585	Establish Accounts	-
enterprise	T1585.003	Cloud Accounts	During Outer Space, OilRig created M365 email accounts to be used as part of C2.¹
enterprise	T1105	Ingress Tool Transfer	During Outer Space, OilRig downloaded additional tools to comrpomised infrastructure.¹
enterprise	T1027	Obfuscated Files or Information	-
enterprise	T1027.013	Encrypted/Encoded File	During Outer Space, OilRig deployed VBS droppers with obfuscated strings.¹

Software

ID	Name	Description
S1168	SampleCheck5000	¹

References

Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024. ↩↩↩↩↩↩↩↩↩↩↩