OilRig is Back with Next-Generation Malware
The infamous OilRig malware campaign is back and much harder to detect and stop. Since November 2017, Nyotron’s research team has been tracking active OilRig attacks on a number of organizations across the Middle East. The Iran-linked OilRig group has significantly evolved its tactics, techniques and procedures, introduced next-generation malware tools and new data exfiltration methods.
What’s New?
Attackers have used about 20 different tools throughout their latest malware campaign. Some were off-the-shelf, dual-purpose utilities, while others were previously unseen malware using Google Drive and SmartFile online file sharing and transfer services as well as the Internet Server Application Programming Interface (ISAPI) filter for exfiltrating data from compromised IIS servers. These demonstrate ongoing capability advancements of the OilRig group.
Example of One OilRig Attack
Here’s our timeline for OilRig activity along with PARANOID mitigation.
November 16, 2017 |
|
|
December 05, 2017 |
|
|
December 09, 2017 |
|
|
December 10, 2017 |
|
|
December 18, 2017 |
|
|
December 20, 2017 |
|
|
December 23, 2017 |
|
|
December 24, 2017 |
|
|
December 30, 2017 |
|
How Nyotron’s PARANOID Protects from Next-Generation OilRig
PARANOID, applying an OS-Centric Positive Security model, fully protects Nyotron’s customers from the latest iteration of OilRig. The devil is in the details. Our in-depth technical report includes details of the attack, the tactics, techniques and procedures used to help security professionals deal with the same threat actor in the future.