Nyotron Discovers Next-Generation OilRig Attacks

SANTA CLARA, CA — March 21, 2018 — Nyotron, a provider of the industry’s first OS-Centric Positive Security solution to strengthen endpoint protection, has discovered a resurgence of OilRig attacks using a significantly more advanced malware toolkit.

Since 2015, the notorious Iran-linked APT group that launched OilRig has compromised critical infrastructure, banks, airlines, and government entities in countries such as Saudi Arabia, Qatar, United Arab Emirates, Turkey, Kuwait, Israel, Lebanon and the United States. In November 2017, Nyotron discovered new active OilRig attacks on a number of organizations across the Middle East. The OilRig group has significantly evolved its tactics, techniques and procedures, introduced next-generation malware tools and new data exfiltration methods. In total, the attackers used about 20 different tools – some were off-the-shelf, dual-purpose utilities, while others were previously unseen malware using Google Drive and SmartFile as well as the ISAPI filter for compromising IIS servers.

Among key advancements, the new variant of OilRig introduces a variety of new command and control (C&C) and data exfiltration capabilities:

Google Drive C&C – The OilRig group has built a sophisticated Remote Access Trojan (RAT) that uses Google Drive for C&C purposes. Among other things, it supports a variety of configuration settings, uses encryption and registers as a service. Malware retrieves commands from the attacker’s account on Google Drive and exfiltrates files to it. At the time of the research, this RAT was not detectable by any antivirus (AV) engine that is part of VirusTotal.

SmartFile C&C – The attacker used a crafted tool that leveraged the public APIs of SmartFile.com, a file sharing and transfer solution, as a C&C. This allowed attackers to upload and download files to and from infected machines as well as run ad-hoc commands. At the time of the research, this RAT generated 1 out of 68 VirusTotal detections.

ISAPI filter-based C&C – This new attack used ISAPI filters to extend the functionality of Microsoft Internet Information Services (IIS) servers. An ISAPI filter provides a more covert way to execute commands on a previously compromised machine versus using a web page, allowing the attacker to execute commands by accessing any path on the server. Based on publicly available information, Nyotron believes this is the first time the OilRig group has used ISAPI filters. This unique approach avoids detection by most, if not all, security products.

“State attackers and advanced hacking groups are continually finding new approaches to augment previous successful attacks,” said Nir Gaist, Founder and CTO of Nyotron. “This latest OilRig evolution serves as a reminder that security leaders need to strengthen their endpoint protection using the defense in depth approach to safeguard against malware adopting next-generation tools and techniques.”

A full report on the company’s findings can be found at www.nyotron.com/oilrig.

About Nyotron
Nyotron provides the industry’s first OS-Centric Positive Security to strengthen desktop, laptop and server protection. By mapping legitimate operating system behavior, Nyotron’s PARANOID understands all the normative ways that may lead to damage, such as file deletion, data exfiltration, encryption, and more. Focusing on these finite “good” actions allows PARANOID to be completely agnostic to threats and attack vectors. PARANOID seamlessly coexists with antivirus and next-generation antivirus solutions based on the negative security model and provides the last line of defense from modern state-level attacks. Nyotron is headquartered in Santa Clara, CA with an R&D office in Israel.