C0044 Juicy Mix

Juicy Mix was a campaign conducted by OilRig throughout 2022 that targeted Israeli organizations with the Mango backdoor.¹

Item	Value
ID	C0044
Associated Names
First Seen	January 2022
Last Seen	December 2022
Version	1.0
Created	25 November 2024
Last Modified	25 November 2024
Navigation Layer	View In ATT&CK® Navigator

Groups

ID	Name	References
G0049	OilRig	¹

Techniques Used

Domain	ID	Name	Use
enterprise	T1071	Application Layer Protocol	-
enterprise	T1071.001	Web Protocols	During Juicy Mix, OilRig used a VBS script to send POST requests to register installed malware with C2.¹
enterprise	T1217	Browser Information Discovery	During Juicy Mix, OilRig used the CDumper (Chrome browser) and EDumper (Edge browser) data stealers to collect cookies, browsing history, and credentials.¹
enterprise	T1059	Command and Scripting Interpreter	-
enterprise	T1059.001	PowerShell	During Juicy Mix, OilRig used a PowerShell script to steal credentials.¹
enterprise	T1059.005	Visual Basic	During Juicy Mix, OilRig used VBS droppers to deliver and establish persistence for the Mango backdoor.¹
enterprise	T1584	Compromise Infrastructure	-
enterprise	T1584.004	Server	During Juicy Mix, OilRig compromised an Israeli job portal to use for a C2 server.¹
enterprise	T1555	Credentials from Password Stores	-
enterprise	T1555.003	Credentials from Web Browsers	During Juicy Mix, OilRig used the CDumper (Chrome browser) and EDumper (Edge browser) to collect credentials.¹
enterprise	T1555.004	Windows Credential Manager	During Juicy Mix, OilRig used a Windows Credential Manager stealer for credential access.¹
enterprise	T1132	Data Encoding	-
enterprise	T1132.001	Standard Encoding	During Juicy Mix, OilRig used a VBS script to send the Base64-encoded name of the compromised computer to C2.¹
enterprise	T1074	Data Staged	-
enterprise	T1074.001	Local Data Staging	During Juicy Mix, OilRig used browser data and credential stealer tools to stage stolen files named Cupdate, Eupdate, and IUpdate in the %TEMP% directory.¹
enterprise	T1140	Deobfuscate/Decode Files or Information	During Juicy Mix, OilRig used a script to concatenate and deobfuscate encoded strings in Mango.¹
enterprise	T1587	Develop Capabilities	-
enterprise	T1587.001	Malware	For Juicy Mix, OilRig improved on Solar by developing the Mango backdoor.¹
enterprise	T1053	Scheduled Task/Job	-
enterprise	T1053.005	Scheduled Task	During Juicy Mix, OilRig used VBS droppers to schedule tasks for persistence.¹
enterprise	T1518	Software Discovery	During Juicy Mix, OilRig used browser data dumper tools to create a list of users with Google Chrome installed.¹
enterprise	T1082	System Information Discovery	During Juicy Mix, OilRig used a script to send the name of the compromised host via HTTP `POST` to register it with C2.¹

Software

ID	Name	Description
S1169	Mango	¹

References

Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩