OilRig is Back with Next-Generation Malware

The infamous OilRig malware campaign is back and much harder to detect and stop. Since November 2017, Nyotron’s research team has been tracking active OilRig attacks on a number of organizations across the Middle East. The Iran-linked OilRig group has significantly evolved its tactics, techniques and procedures, introduced next-generation malware tools and new data exfiltration methods.

What’s New?

Attackers have used about 20 different tools throughout their latest malware campaign. Some were off-the-shelf, dual-purpose utilities, while others were previously unseen malware using Google Drive and SmartFile online file sharing and transfer services as well as the Internet Server Application Programming Interface (ISAPI) filter for exfiltrating data from compromised IIS servers. These demonstrate ongoing capability advancements of the OilRig group.

Example of One OilRig Attack

Here’s our timeline for OilRig activity along with PARANOID mitigation.

November 16, 2017
  • Gains entry to a Terminal Server with an external partner’s credentials
  • Downloads additional malicious tools
  • Performs reconnaissance
December 05, 2017
  • Moves laterally to additional servers
  • Escalates privileges
  • Establish persistence (scheduled task, web shell, set registry keys)
December 09, 2017
  • Creates a folder named after the attacked network in the attacker’s Google Drive
December 10, 2017
  • Installs the Google Drive RAT on the compromised server
December 18, 2017
  • PARANOID is installed on possibly compromised servers
  • PARANOID prevents communication with the attacker’s Google Drive
December 20, 2017
  • PARANOID blocks lateral movement attempts using EternalBlue exploits
  • PARANOID prevents attempts to steal data using Meterpreter
December 23, 2017
  • Creates a folder named after the external partner company name in the attacker’s Google Drive
December 24, 2017
  • PARANOID blocks repeated internal reconnaissance and data exfiltration attempts
December 30, 2017
  • PARANOID blocks network probing for data exfiltration purposes

How Nyotron’s PARANOID Protects from Next-Generation OilRig

PARANOID, applying an OS-Centric Positive Security model, fully protects Nyotron’s customers from the latest iteration of OilRig. The devil is in the details. Our in-depth technical report includes details of the attack, the tactics, techniques and procedures used to help security professionals deal with the same threat actor in the future.