S1171 OilCheck
OilCheck is a C#/.NET downloader that has been used by OilRig since at least 2022 including against targets in Israel. OilCheck uses draft messages created in a shared email account for C2 communication.1
| Item | Value |
|---|---|
| ID | S1171 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 26 November 2024 |
| Last Modified | 27 November 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1567 | Exfiltration Over Web Service | OilCheck can upload documents from compromised hosts to a shared Microsoft Office 365 Outlook email account for exfiltration.1 |
| enterprise | T1105 | Ingress Tool Transfer | OilCheck can download staged payloads from an actor-controlled infrastructure.1 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.002 | Bidirectional Communication | OilCheck can use a REST-based Microsoft Graph API to access draft messages in a shared Microsoft Office 365 Outlook email account used for C2 communication.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0049 | OilRig | 1 |