S1172 OilBooster

OilBooster is a downloader written in Microsoft Visual C/C++ that has been used by OilRig since at least 2022 including against target organizations in Israel to download and execute files and for exfiltration.¹

Item	Value
ID	S1172
Associated Names
Type	MALWARE
Version	1.0
Created	26 November 2024
Last Modified	27 November 2024
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
enterprise	T1071	Application Layer Protocol	-
enterprise	T1071.001	Web Protocols	OilBooster can send HTTP `GET`, `POST`, `PUT`, and `DELETE` requests to the Microsoft Graph API over port 443 for C2 communication.¹
enterprise	T1059	Command and Scripting Interpreter	-
enterprise	T1059.003	Windows Command Shell	OilBooster has the ability to execute shell commands and exfiltrate the results.¹
enterprise	T1074	Data Staged	-
enterprise	T1074.001	Local Data Staging	OilBooster can stage files in the `tempFiles` directory for exfiltration.¹
enterprise	T1140	Deobfuscate/Decode Files or Information	OilBooster can Base64-decode and XOR-decrypt C2 commands taken from JSON files.¹
enterprise	T1573	Encrypted Channel	-
enterprise	T1573.002	Asymmetric Cryptography	OilBooster can use the OpenSSL library to encrypt C2 communications.¹
enterprise	T1041	Exfiltration Over C2 Channel	OilBooster can use an actor-controlled OneDrive account for C2 communication and exfiltration.¹
enterprise	T1567	Exfiltration Over Web Service	-
enterprise	T1567.002	Exfiltration to Cloud Storage	OilBooster can exfiltrate files to an actor-controlled OneDrive account via the Microsoft Graph API.¹
enterprise	T1008	Fallback Channels	OilBooster can use a backup channel to request a new refresh token from its C2 server after 10 consecutive unsuccessful connections to the primary OneDrive C2 server.¹
enterprise	T1564	Hide Artifacts	-
enterprise	T1564.003	Hidden Window	OilBooster can hide its console window upon execution through the `ShowWindow` API. ¹
enterprise	T1105	Ingress Tool Transfer	OilBooster can download and execute files from an actor-controlled OneDrive account.¹
enterprise	T1559	Inter-Process Communication	OilBooster can read the results of command line execution via an unnamed pipe connected to the process.¹
enterprise	T1106	Native API	OilBooster has used the `ShowWindow` and `CreateProcessW` APIs.¹
enterprise	T1082	System Information Discovery	OilBooster can identify the compromised system’s hostname which is used to create a unique identifier.¹
enterprise	T1033	System Owner/User Discovery	OilBooster can identify the compromised system’s username which is then used as part of a unique identifier.¹
enterprise	T1102	Web Service	-
enterprise	T1102.002	Bidirectional Communication	OilBooster uses the Microsoft Graph API to connect to an actor-controlled OneDrive account to download and execute files and shell commands, and to create directories to share exfiltrated data.¹

Groups That Use This Software

ID	Name	References
G0049	OilRig	¹

References

Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩