Skip to content

G0049 OilRig

OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.42351186

Item Value
ID G0049
Associated Names COBALT GYPSY, IRN2, APT34, Helix Kitten, Evasive Serpens
Version 3.1
Created 14 December 2017
Last Modified 06 February 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
COBALT GYPSY 9
IRN2 7
APT34 This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.681
Helix Kitten 67
Evasive Serpens 11

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account OilRig has run net user, net user /domain, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to get account listings on a victim.3
enterprise T1087.002 Domain Account OilRig has run net user, net user /domain, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to get account listings on a victim.3
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols OilRig has used HTTP for C2.111415
enterprise T1071.004 DNS OilRig has used DNS for C2 including the publicly available requestbin.net tunneling service.1114151
enterprise T1119 Automated Collection OilRig has used automated collection.11
enterprise T1110 Brute Force OilRig has used brute force techniques to obtain credentials.14
enterprise T1059 Command and Scripting Interpreter OilRig has used various types of scripting for execution.81713618
enterprise T1059.001 PowerShell OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents.8197
enterprise T1059.003 Windows Command Shell OilRig has used macros to deliver malware such as QUADAGENT and OopsIE.81713618 OilRig has used batch scripts.81713618
enterprise T1059.005 Visual Basic OilRig has used VBSscipt macros for execution on compromised hosts.1
enterprise T1555 Credentials from Password Stores OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.11141615
enterprise T1555.003 Credentials from Web Browsers OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.11141615 OilRig has also used tool named PICKPOCKET to dump passwords from web browsers.15
enterprise T1555.004 Windows Credential Manager OilRig has used credential dumping tool named VALUEVAULT to steal credentials from the Windows Credential Manager.15
enterprise T1140 Deobfuscate/Decode Files or Information A OilRig macro has run a PowerShell command to decode file contents. OilRig has also used certutil to decode base64-encoded files on victims.8191320
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography OilRig used the Plink utility and other tools to create tunnels to C2 servers.14
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol OilRig has exfiltrated data over FTP separately from its primary C2 channel over DNS.5
enterprise T1133 External Remote Services OilRig uses remote services such as VPN, Citrix, or OWA to persist in an environment.14
enterprise T1008 Fallback Channels OilRig malware ISMAgent falls back to its DNS tunneling mechanism if it is unable to reach the C2 server over HTTP.17
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion OilRig has deleted files associated with their payload after execution.813
enterprise T1105 Ingress Tool Transfer OilRig can download remote files onto victims.8
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging OilRig has used keylogging tools called KEYPUNCH and LONGWATCH.1415
enterprise T1036 Masquerading OilRig has used .doc file extensions to mask malicious executables.1
enterprise T1046 Network Service Discovery OilRig has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning.14
enterprise T1027 Obfuscated Files or Information OilRig has encrypted and encoded data in its malware, including by using base64.8611718
enterprise T1027.005 Indicator Removal from Tools OilRig has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion.418
enterprise T1137 Office Application Startup -
enterprise T1137.004 Outlook Home Page OilRig has abused the Outlook Home Page feature for persistence. OilRig has also used CVE-2017-11774 to roll back the initial patch designed to protect against Home Page abuse.21
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory OilRig has used credential dumping tools such as Mimikatz to steal credentials to accounts logged into the compromised system and to Outlook Web Access.11141615
enterprise T1003.004 LSA Secrets OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.11141615
enterprise T1003.005 Cached Domain Credentials OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.11141615
enterprise T1201 Password Policy Discovery OilRig has used net.exe in a script with net accounts /domain to find the password policy of a domain.12
enterprise T1120 Peripheral Device Discovery OilRig has used tools to identify if a mouse is connected to a targeted system.1
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups OilRig has used net localgroup administrators to find local administrators on compromised systems.3
enterprise T1069.002 Domain Groups OilRig has used net group /domain, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to find domain group permission settings.3
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment OilRig has sent spearphising emails with malicious attachments to potential victims using compromised and/or spoofed email accounts.1367
enterprise T1566.002 Spearphishing Link OilRig has sent spearphising emails with malicious links to potential victims.13
enterprise T1566.003 Spearphishing via Service OilRig has used LinkedIn to send spearphishing links.15
enterprise T1057 Process Discovery OilRig has run tasklist on a victim’s machine.3
enterprise T1572 Protocol Tunneling OilRig has used the Plink utility and other tools to create tunnels to C2 servers.111415
enterprise T1012 Query Registry OilRig has used reg query “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” on a victim to query the Registry.3
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol OilRig has used Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment.111420
enterprise T1021.004 SSH OilRig has used Putty to access compromised systems.11
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task OilRig has created scheduled tasks that run a VBScript to execute a payload on victim machines.136151
enterprise T1113 Screen Capture OilRig has a tool called CANDYKING to capture a screenshot of user’s desktop.14
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell OilRig has used web shells, often to maintain access to a victim network.111420
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.001 Compiled HTML File OilRig has used a CHM payload to load and execute another malicious file once delivered to a victim.3
enterprise T1082 System Information Discovery OilRig has run hostname and systeminfo on a victim.35151
enterprise T1016 System Network Configuration Discovery OilRig has run ipconfig /all on a victim.35
enterprise T1049 System Network Connections Discovery OilRig has used netstat -an on a victim to get a listing of network connections.3
enterprise T1033 System Owner/User Discovery OilRig has run whoami on a victim.351
enterprise T1007 System Service Discovery OilRig has used sc query on a victim to gather information about services.3
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.11141615
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link OilRig has delivered malicious links to achieve execution on the target system.1367
enterprise T1204.002 Malicious File OilRig has delivered macro-enabled documents that required targets to click the “enable content” button to execute the payload on the system.13671
enterprise T1078 Valid Accounts OilRig has used compromised credentials to access other systems on a victim network.111420
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks OilRig has used macros to verify if a mouse is connected to a compromised machine.1
enterprise T1047 Windows Management Instrumentation OilRig has used WMI for execution.14
ics T0817 Drive-by Compromise OilRig has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks. 24
ics T0853 Scripting OilRig has embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script.22
ics T0865 Spearphishing Attachment OilRig used spearphishing emails with malicious Microsoft Excel spreadsheet attachments. 22
ics T0869 Standard Application Layer Protocol OilRig communicated with its command and control using HTTP requests. 22
ics T0859 Valid Accounts OilRig utilized stolen credentials to gain access to victim machines.23

Software

ID Name References Techniques
S0360 BONDUPDATER 8 25 DNS:Application Layer Protocol PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Domain Generation Algorithms:Dynamic Resolution Hidden Window:Hide Artifacts Ingress Tool Transfer Scheduled Task:Scheduled Task/Job
S0160 certutil 8 Archive via Utility:Archive Collected Data Deobfuscate/Decode Files or Information Ingress Tool Transfer Install Root Certificate:Subvert Trust Controls
S0095 ftp 5 Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Ingress Tool Transfer Lateral Tool Transfer
S0170 Helminth 3147 DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Automated Collection Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Clipboard Data PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Standard Encoding:Data Encoding Local Data Staging:Data Staged Data Transfer Size Limits Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Keylogging:Input Capture Obfuscated Files or Information Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery Process Discovery Scheduled Task:Scheduled Task/Job Code Signing:Subvert Trust Controls
S0100 ipconfig 3 System Network Configuration Discovery
S0189 ISMInjector 19 Deobfuscate/Decode Files or Information Obfuscated Files or Information Process Hollowing:Process Injection Scheduled Task:Scheduled Task/Job
S0349 LaZagne 16 Keychain:Credentials from Password Stores Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores /etc/passwd and /etc/shadow:OS Credential Dumping LSA Secrets:OS Credential Dumping LSASS Memory:OS Credential Dumping Proc Filesystem:OS Credential Dumping Cached Domain Credentials:OS Credential Dumping Credentials In Files:Unsecured Credentials
S0002 Mimikatz 111416 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0039 Net 38 Domain Account:Account Discovery Local Account:Account Discovery Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0104 netstat 38 System Network Connections Discovery
S0264 OopsIE 13 Web Protocols:Application Layer Protocol Archive via Utility:Archive Collected Data Archive via Custom Method:Archive Collected Data Visual Basic:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Local Data Staging:Data Staged Data Transfer Size Limits Deobfuscate/Decode Files or Information Exfiltration Over C2 Channel File Deletion:Indicator Removal Ingress Tool Transfer Software Packing:Obfuscated Files or Information Obfuscated Files or Information Scheduled Task:Scheduled Task/Job System Information Discovery System Time Discovery System Checks:Virtualization/Sandbox Evasion Windows Management Instrumentation
S0184 POWRUNER 8 Domain Account:Account Discovery DNS:Application Layer Protocol Web Protocols:Application Layer Protocol PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding File and Directory Discovery Ingress Tool Transfer Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery Process Discovery Query Registry Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Windows Management Instrumentation
S0029 PsExec 14 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0269 QUADAGENT 6 DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Visual Basic:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Fallback Channels File Deletion:Indicator Removal Match Legitimate Name or Location:Masquerading Modify Registry Command Obfuscation:Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information Query Registry Scheduled Task:Scheduled Task/Job System Network Configuration Discovery System Owner/User Discovery
S0495 RDAT 27 Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Mail Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Non-Standard Encoding:Data Encoding Data Obfuscation Steganography:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel Fallback Channels File Deletion:Indicator Removal Ingress Tool Transfer Masquerade Task or Service:Masquerading Match Legitimate Name or Location:Masquerading Steganography:Obfuscated Files or Information Screen Capture
S0075 Reg 38 Modify Registry Query Registry Credentials in Registry:Unsecured Credentials
S0258 RGDoor 26 Web Protocols:Application Layer Protocol Archive via Custom Method:Archive Collected Data Windows Command Shell:Command and Scripting Interpreter Deobfuscate/Decode Files or Information Ingress Tool Transfer IIS Components:Server Software Component System Owner/User Discovery
S0185 SEASHARPEE 14 Windows Command Shell:Command and Scripting Interpreter Timestomp:Indicator Removal Ingress Tool Transfer Web Shell:Server Software Component
S0610 SideTwist 1 Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System Data Obfuscation Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel Fallback Channels File and Directory Discovery Ingress Tool Transfer Native API System Information Discovery System Network Configuration Discovery System Owner/User Discovery
S0096 Systeminfo 8 System Information Discovery
S0057 Tasklist 38 Process Discovery Security Software Discovery:Software Discovery System Service Discovery

References

  1. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. 

  2. ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017. 

  3. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. 

  4. Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017. 

  5. Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017. 

  6. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. 

  7. Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018. 

  8. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. 

  9. Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021. 

  10. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. 

  11. Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023. 

  12. Singh, S., Yin, H. (2016, May 22). https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html. Retrieved April 5, 2018. 

  13. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. 

  14. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017. 

  15. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019. 

  16. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018. 

  17. Falcone, R. and Lee, B. (2017, July 27). OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group. Retrieved January 8, 2018. 

  18. Falcone, R., Wilhoit, K.. (2018, November 16). Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery. Retrieved April 23, 2019. 

  19. Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018. 

  20. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. 

  21. McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020. 

  22. Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19  

  23. Dragos Chrysene Retrieved. 2019/10/27  

  24. Eduard Kovacs 2018, May 21 Group linked to Shamoon attacks targeting ICS networks in Middle East and UK Retrieved. 2020/01/03  

  25. Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019. 

  26. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018. 

  27. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.