ESET researchers analyzed a rising sequence of OilRig downloaders that the group has utilized in a number of campaigns all through 2022, to take care of entry to focus on organizations of particular curiosity – all positioned in Israel. These light-weight downloaders, which we named SampleCheck5000 (SC5k v1-v3), OilCheck, ODAgent, and OilBooster, are notable for utilizing one in every of a number of professional cloud service APIs for C&C communication and information exfiltration: the Microsoft Graph OneDrive or Outlook APIs, and the Microsoft Workplace Change Net Companies (EWS) API.
In all circumstances, the downloaders use a shared (electronic mail or cloud storage) OilRig-operated account to change messages with the OilRig operators; the identical account is usually shared by a number of victims. The downloaders entry this account to obtain instructions and extra payloads staged by the operators, and to add command output and staged recordsdata.
We found the earliest of the sequence, SC5k (v1) downloader, in November 2021, when it was utilized in OilRig’s Outer Area marketing campaign, documented in our latest blogpost. Within the present blogpost, we deal with all the SC5k successors that OilRig developed all through 2022, with a brand new variation launched each few months; we may even take a better take a look at the mechanisms employed by these downloaders. We additionally evaluate these downloaders to different OilRig backdoors that use email-based C&C protocols, and that have been reported earlier this yr by Pattern Micro (MrPerfectionManager) and Symantec (PowerExchange).
Lastly, this blogpost additionally expands on our LABScon 2023 presentation, the place we drilled down into how OilRig retains entry to chose Israeli organizations: all the downloaders studied on this blogpost have been deployed in networks that have been beforehand affected by a number of OilRig instruments, which underlines the truth that OilRig is persistent in focusing on the identical organizations, and decided to maintain its foothold in compromised networks.
Key factors of this blogpost:
- OilRig actively developed and used a sequence of downloaders with the same logic all through 2022: three new downloaders – ODAgent, OilCheck, OilBooster – and newer variations of the SC5k downloader.
- The downloaders use varied professional cloud service APIs for C&C communication and information exfiltration: Microsoft Graph OneDrive API, Microsoft Graph Outlook API, and Microsoft Workplace EWS API.
- Targets, all in Israel, included a company within the healthcare sector, a producing firm, an area governmental group, and different organizations.
- All targets have been beforehand affected by a number of OilRig campaigns.
Attribution
OilRig, often known as APT34, Lyceum, Crambus, or Siamesekitten, is a cyberespionage group that has been lively since no less than 2014 and is generally believed to be based mostly in Iran. The group targets Center Japanese governments and quite a lot of enterprise verticals, together with chemical, vitality, monetary, and telecommunications.
OilRig carried out the DNSpionage marketing campaign in 2018 and 2019, which focused victims in Lebanon and the United Arab Emirates. In 2019 and 2020, OilRig continued its assaults with the HardPass marketing campaign, which used LinkedIn to focus on Center Japanese victims within the vitality and authorities sectors. In 2021, OilRig up to date its DanBot backdoor and started deploying the Shark, Milan, and Marlin backdoors, as talked about within the T3 2021 subject of the ESET Risk Report. In 2022 and 2023, the group carried out a number of assaults towards native authorities entities and healthcare organizations in Israel, utilizing its new backdoors Photo voltaic and Mango. In 2023, OilRig focused organizations within the Center East with the PowerExchange and MrPerfectionManager backdoors, and associated instruments to reap inside mailbox account credentials after which to leverage these accounts for exfiltration.
We attribute SC5k (v1-v3), ODAgent, OilCheck, and OilBooster downloaders to OilRig with a excessive degree of confidence, based mostly on these indicators:
- Targets:
- These downloaders have been deployed solely towards Israeli organizations, which aligns with typical OilRig focusing on.
- The noticed verticals of the victims additionally align with OilRig’s pursuits – for instance, we’ve got seen OilRig beforehand focusing on the Israeli healthcare sector, in addition to the native authorities sector in Israel.
- Code similarities:
- The SC5k v2 and v3 downloaders developed naturally from the preliminary model, which was beforehand utilized in an OilRig Outer Area marketing campaign. ODAgent, OilCheck and OilBooster share related logic, and all use varied cloud service suppliers for his or her C&C communications, as do SC5k, Marlin, PowerExchange, and MrPerfectionManager.
- Whereas not distinctive to OilRig, these downloaders have a low degree of sophistication and are sometimes unnecessarily noisy on the system, which is a apply we beforehand noticed in its Out to Sea marketing campaign.
Overview
In February 2022, we detected a brand new OilRig downloader, which we named ODAgent based mostly on its filename: ODAgent.exe. ODAgent is a C#/.NET downloader that, much like OilRig’s Marlin backdoor, makes use of the Microsoft OneDrive API for C&C communications. In contrast to Marlin, which helps a complete checklist of backdoor instructions, ODAgent’s slender capabilities are restricted to downloading and executing payloads, and to exfiltrating staged recordsdata.
ODAgent was detected within the community of a producing firm in Israel – apparently, the identical group was beforehand affected by OilRig’s SC5k downloader, and later by one other new downloader, OilCheck, between April and June 2022. SC5k and OilCheck have related capabilities to ODAgent, however use cloud-based electronic mail companies for his or her C&C communications.
All through 2022, we noticed the identical sample being repeated on a number of events, with new downloaders being deployed within the networks of earlier OilRig targets: for instance, between June and August 2022, we detected the OilBooster, SC5k v1, and SC5k v2 downloaders and the Shark backdoor, all within the community of an area governmental group in Israel. Later we detected yet one more SC5k model (v3), within the community of an Israeli healthcare group, additionally a earlier OilRig sufferer.
SC5k is a C#/.NET software whose objective is to obtain and execute extra OilRig instruments utilizing the Workplace Change Net Companies (EWS) API. The brand new variations launched modifications to make retrieval and evaluation of the malicious payloads more durable for analysts (SC5k v2), and new exfiltration performance (SC5k v3).
All of the downloaders, summarized in Determine 1, share the same logic however have completely different implementations and present rising complexity over time, alternating C#/.NET binaries with C/C++ functions, various the cloud service suppliers misused for the C&C communication, and different specifics.
OilRig has solely used these downloaders towards a restricted variety of targets, all positioned in Israel and, in accordance with ESET telemetry, all of them have been persistently focused months earlier by different OilRig instruments. As it’s common for organizations to entry Workplace 365 sources, OilRig’s cloud service-powered downloaders can thus mix extra simply into the common stream of community visitors – apparently additionally the rationale why the attackers selected to deploy these downloaders to a small group of particularly fascinating, repeatedly victimized targets.
As of this writing, the next (solely Israeli, as famous above) organizations have been affected:
- a producing firm (SC5k v1, ODAgent, and OilCheck),
- an area governmental group (SC5k v1, OilBooster, and SC5k v2),
- a healthcare group (SC5k v3), and
- different unidentified organizations in Israel (SC5k v1).
Sadly, we don’t have details about the preliminary assault vector used to compromise the targets mentioned on this blogpost – we are able to’t affirm whether or not the attackers have been capable of efficiently compromise the identical organizations repeatedly, or in the event that they someway managed to maintain their foothold within the community in between deploying varied instruments.
Technical evaluation
On this part, we offer a technical evaluation of OilRig’s downloaders used all through 2022, with the small print of how they abuse varied cloud storage companies and cloud-based electronic mail suppliers for his or her C&C communications. All of those downloaders comply with the same logic:
- They use a shared (electronic mail or cloud storage) account to change messages with the OilRig operators; the identical account can be utilized towards a number of victims.
- They entry this account to obtain instructions and extra payloads staged by the operators, and to add command output and staged recordsdata.
In our evaluation, we deal with these traits of the downloaders:
- Specifics of the community communication protocol (e.g., Microsoft Graph API vs. Microsoft Workplace EWS API).
- The mechanism used to differentiate between completely different attacker-staged and downloader-uploaded messages within the shared account, together with the mechanism to differentiate between messages uploaded from varied victims.
- Specifics of how the downloaders course of instructions and payloads are downloaded from the shared account.
Desk 1 summarizes and compares how the person downloaders implement these traits; we then analyze the primary (SC5k) and essentially the most complicated (OilBooster) downloaders intimately as examples of instruments abusing cloud-based electronic mail companies and cloud storage companies, respectively.
Desk 1. A abstract of most important traits of OilRig’s downloaders abusing professional cloud service suppliers
Mechanism | SC5k v1 | SC5k v2 | SC5k v3 | OilCheck | OilBooster | ODAgent |
C&C protocol | A shared Microsoft Change electronic mail account, C&C communication embedded in draft messages. | A shared OneDrive account; recordsdata with varied extensions to differentiate motion sorts. | ||||
Community communications | Microsoft Workplace EWS API | Microsoft Graph (Outlook) API | Microsoft Graph (OneDrive) API. | |||
Sufferer identification mechanism | The sg prolonged property of the e-mail draft is ready to <victimID>. | An unknown prolonged electronic mail property is ready to <victimID>. | From area has the username portion of the e-mail handle set to <victimID>. | The zigorat prolonged property of the e-mail draft is ready to <victimID>. | All communication for, and from, the particular sufferer is uploaded to a victim-specific subdirectory named <victimID>. | |
Preserve-alive message | The kind prolonged property of the e-mail draft is ready to 3; the present GMT time is within the electronic mail physique. | An unknown prolonged property of the e-mail draft is ready to 0; the e-mail physique is empty. | The From area of the e-mail draft is ready to <victimID>@yahoo.com; the present GMT time is within the electronic mail physique. | The kind prolonged property of the e-mail draft is ready to 3; the present GMT time is within the electronic mail physique. | A file named <victimID>/setting.ini. | A file named <victimID>/data.ini. |
File for obtain | The kind prolonged property of the e-mail draft is ready to 1; the connected file has any extension aside from .json. | An unknown prolonged property of the e-mail draft is ready to 1; the connected file has any extension aside from .bin. | The From area of the e-mail draft is ready to <victimID>@outlook.com, with the message class set to file. | The kind prolonged property of the e-mail draft is ready to 1; the connected file has a .biz extension. | A file with a .docx extension within the <victimID>/objects subdirectory. | A non-JSON file within the <victimID>/o subdirectory. |
Exfiltrated file | The kind prolonged property of the e-mail draft is ready to 2; the connected file has the .tmp1 extension. | An unknown prolonged property of the e-mail draft is ready to 2; the connected file has a .tmp extension. | The From area of the e-mail draft is ready to <victimID>@aol.com, with the file class. | The kind prolonged property of the e-mail draft is ready to 2; the connected file has a .biz extension. | A file with a .xlsx extension within the <victimID>/objects subdirectory. | A non-JSON file within the <victimID>/i subdirectory. |
Command for execution | The kind prolonged property of the e-mail draft is ready to 1; the connected file has a .json extension. | An unknown prolonged property of the e-mail draft is ready to 1; the connected file has a .bin extension. | The From area of the e-mail draft is ready to <victimID>@outlook.com, with out the file class. | The kind prolonged property of the e-mail draft is ready to 1; the connected file has any extension aside from .biz. | A file with a .doc extension within the <victimID>/objects subdirectory. | A JSON file within the <victimID>/o subdirectory. |
Command output | The kind prolonged property of the e-mail draft is ready to 2; the connected file has a .json extension. | An unknown prolonged property of the e-mail draft is ready to 2; the connected file has a .bin extension. | The From area of the e-mail draft is ready to <victimID>@aol.com, with the textual content class. | The kind prolonged property of the e-mail draft is ready to 2. | A file with a .xls extension within the <victimID>/objects subdirectory. | A JSON file within the <victimID>/i subdirectory. |
SC5k downloader
The SampleCheck5000 (or SC5k) downloader is a C#/.NET software, and the primary in a sequence of OilRig’s light-weight downloaders that use professional cloud companies for his or her C&C communication. We briefly documented the primary variant in our latest blogpost, and have since found two newer variants.
All SC5k variants use the Microsoft Workplace EWS API to work together with a shared Change mail account, as a technique to obtain extra payloads and instructions, and to add information. E-mail drafts and their attachments are the first automobile for the C&C visitors in all of the variations of this downloader, however the later variations improve the complexity of this C&C protocol (SC5k v3) and add detection evasion capabilities (SC5k v2). This part focuses on highlighting these variations.
Change account used for C&C communication
At runtime, SC5k connects to a distant Change server through the EWS API to acquire extra payloads and instructions to execute from an electronic mail account shared with the attacker (and normally different victims). By default, a Microsoft Workplace 365 Outlook account is accessed through the https://outlook.office365.com/EWS/Change.asmx URL utilizing hardcoded credentials, however some SC5k variations even have the aptitude to hook up with different distant Change servers when a configuration file is current with a hardcoded title (setting.key, set.idl) and the corresponding credentials inside.
We have now seen the next electronic mail addresses utilized by SC5k variations for C&C communication, the primary of which gave the downloader its title:
- samplecheck5000@outlook.com
- FrancesLPierce@outlook.com
- SandraRCharles@outlook.com
In SC5k v2, the default Microsoft Change URL, electronic mail handle, and password usually are not included in the principle module – as an alternative, the downloader’s code has been cut up into a number of modules. We have now detected solely variations of the principle software, which logs right into a distant Change server, iterates via emails within the Drafts listing, and extracts extra payloads from their attachments. Nevertheless, this software is determined by two exterior courses that weren’t current within the detected samples and are in all probability carried out within the lacking module(s):
- The category init ought to present an interface to acquire the e-mail handle, username, and password required to log into the distant Change account, and different configuration values from the opposite module.
- The category construction ought to implement capabilities used for encryption, compression, executing downloaded payloads, and different helper capabilities.
These modifications have been probably launched to make retrieval and evaluation of the malicious payloads more durable for analysts, as the 2 lacking courses are essential for figuring out the Change account used for malware distribution.
C&C and exfiltration protocol
In all variations, the SC5k downloader repeatedly logs right into a distant Change server utilizing the ExchangeService .NET class within the Microsoft.Change.WebServices.Information namespace to work together with the EWS API. As soon as linked, SC5k reads electronic mail messages with attachments within the Drafts listing to extract attacker instructions and extra payloads. Conversely, in every connection, SC5k exfiltrates recordsdata from an area staging listing by creating new electronic mail drafts in the identical electronic mail account. The trail to the staging listing varies throughout samples.
Of curiosity is the way in which each the operators and varied cases of this downloader can distinguish between the various kinds of drafts within the shared electronic mail account. For one, every electronic mail draft has a <victimID> included, which permits the identical Change account for use for a number of OilRig victims:
- For v1 and v2, the downloader transmits the <victimID> as a customized attribute of the e-mail draft through the SetExtendedProperty methodology.
- For v3, the downloader incorporates the <victimID> into the From area of the e-mail draft.
The <victimID> is usually generated utilizing the compromised system’s data, such because the system quantity ID or the pc title, as proven in Determine 2.
Moreover, varied electronic mail properties can be utilized to differentiate between messages created by the operators (instructions, extra payloads) and messages created by the malware cases (command outputs, exfiltrated recordsdata). SC5k v1 and v2 use file extensions (of the draft attachments) to make that distinction, whereas SC5k v3 makes use of the From and MailItem.Classes fields of the e-mail draft to differentiate between varied actions. At every level, the e-mail drafts within the shared electronic mail account can serve varied functions, as summarized in Desk 2 and defined under. Word that the e-mail addresses used within the From area usually are not real; as a result of SC5k by no means sends out any precise electronic mail messages, these attributes are solely used to differentiate between completely different malicious actions.
Desk 2. Sorts of electronic mail messages utilized by SC5k v3 for C&C communications
From | MailItem.Classes | Created by | Particulars |
<victimID>@yahoo.com | N/A | SC5k v3 occasion | Created to register the sufferer with the C&C server, and renewed periodically to point that the malware continues to be lively. |
<victimID>@outlook.com | file | C&C server | Connected file is decrypted, decompressed, and dumped on the sufferer’s laptop. |
<victimID>@outlook.com | Apart from file | C&C server | Connected command is decrypted, decompressed, then handed as an argument to a file already current on the compromised machine, presumably a command interpreter. |
<victimID>@aol.com | file | SC5k v3 occasion | Created to exfiltrate a file from a staging listing. |
<victimID>@aol.com | textual content | SC5k v3 occasion | Created to ship command output to the C&C server. |
Extra particularly, SC5k v3 processes (after which deletes) these electronic mail messages from the shared Change account which have the From area set to <victimID>@outlook.com, and distinguishes between instructions and extra payloads by the message class (MailItem.Classes):
- For payloads, the connected file is XOR decrypted utilizing the hardcoded key &5z, then gzip decompressed and dumped within the working listing.
- For shell instructions, the draft attachment is base64 decoded, XOR decrypted, after which executed regionally utilizing cmd.exe or, within the case of SC5k v3, utilizing a customized command interpreter positioned beneath the title <baseDirectory>*Ext.dll. This file is then loaded through Meeting.LoadFrom, and its prolong methodology invoked with the command handed as an argument.
To speak with the attackers, SC5k v3 creates draft messages with a unique From area: <victimID>@aol.com. Connected to those messages are outputs of beforehand acquired instructions, or contents of the native staging listing. Recordsdata are at all times gzip compressed and XOR encrypted earlier than being uploaded to the shared mailbox, whereas shell instructions and command outputs are XOR encrypted and base64 encoded.
Lastly, SC5k v3 repeatedly creates a brand new draft on the shared Change account with the From area set to <victimID>@yahoo.com, to point to the attackers that this downloader occasion continues to be lively. This keep-alive message, whose building is proven in Determine 3, has no attachment and is renewed with every connection to the distant Change server.
Different OilRig instruments utilizing email-based C&C protocol
Moreover SC5k, different notable OilRig instruments have been found subsequently (in 2022 and 2023) that abuse APIs of professional cloud-based electronic mail companies for exfiltration and each instructions of their C&C communication.
OilCheck, a C#/.NET downloader found in April 2022, additionally makes use of draft messages created in a shared electronic mail account for each instructions of the C&C communication. In contrast to SC5k, OilCheck makes use of the REST-based Microsoft Graph API to entry a shared Microsoft Workplace 365 Outlook electronic mail account, not the SOAP-based Microsoft Workplace EWS API. Whereas SC5k makes use of the built-in ExchangeService .NET class to create the API requests transparently, OilCheck builds the API requests manually. The primary traits of OilCheck are summarized in Desk 1 above.
Earlier in 2023, two different OilRig backdoors have been publicly documented: MrPerfectionManager (Pattern Micro, February 2023) and PowerExchange (Symantec, October 2023), each utilizing email-based C&C protocols to exfiltrate information. A notable distinction between these instruments and OilRig’s downloaders studied on this blogpost is that the previous use the victimized group’s Change server to transmit electronic mail messages from and to the attacker’s electronic mail account. In distinction: with SC5k and OilCheck, each the malware and the operator accessed the identical Change account and communicated by creating electronic mail drafts, by no means sending an precise message.
In any case, the brand new findings affirm the pattern of OilRig shifting away from the beforehand used HTTP/DNS-based protocols to utilizing professional cloud service suppliers as a technique to conceal its malicious communication and to masks the group’s community infrastructure, whereas nonetheless experimenting with varied flavors of such various protocols.
OilBooster downloader
OilBooster is a 64-bit transportable executable (PE) written in Microsoft Visible C/C++ with statically linked OpenSSL and Enhance libraries (therefore the title). Like OilCheck, it makes use of the Microsoft Graph API to hook up with a Microsoft Workplace 365 account. In contrast to OilCheck, it makes use of this API to work together with a OneDrive (not Outlook) account managed by the attackers for C&C communication and exfiltration. OilBooster can obtain recordsdata from the distant server, execute recordsdata and shell instructions, and exfiltrate the outcomes.
Overview
Upon execution, OilBooster hides its console window (through the ShowWindow API) and verifies that it was executed with a command line argument; in any other case it terminates instantly.
OilBooster then builds a <victimID> by combining the compromised laptop’s hostname and username: <hostname>-<username>. This identifier is later used within the C&C communication: OilBooster creates a particular subdirectory on the shared OneDrive account for every sufferer, which is then used to retailer backdoor instructions and extra payloads (uploaded by the operators), command outcomes, and exfiltrated information (uploaded by the malware). This manner, the identical OneDrive account could be shared by a number of victims.
Determine 4 exhibits the construction of the shared OneDrive account and the native working listing, and summarizes the C&C protocol.
As proven in Determine 4, the OilRig operator uploads backdoor instructions and extra payloads to the victim-specific listing on OneDrive, as recordsdata with the .doc and .docx extensions, respectively. On the opposite finish of the C&C protocol, OilBooster uploads command outcomes and exfiltrated information as recordsdata with the .xls and .xlsx extensions, respectively. Word that these usually are not real Microsoft Workplace recordsdata, however reasonably JSON recordsdata with XOR-encrypted and base64-encoded values.
Determine 5 exhibits OilBooster spawning cases of two threads in an indefinite loop, sleeping for 153,123 milliseconds after every iteration:
Each threads work together with the shared OneDrive account:
- A downloader thread handles C&C communication and executes downloaded payloads.
- An exfiltration thread exfiltrates information from the native staging listing.
The downloader thread connects to the attacker-controlled OneDrive account and iterates via all recordsdata with the .doc and .docx extensions, that are then downloaded, decrypted, and parsed so as to extract and execute extra payloads on the compromised host. A neighborhood subdirectory named objects within the present working listing (the place OilBooster is deployed) is used to retailer the downloaded recordsdata. As proven in Determine 6, every connection try is dealt with in a separate thread occasion, launched as soon as each 53,123 milliseconds.
The exfiltration thread iterates over one other native subdirectory, named tempFiles, and exfiltrates its contents to the shared OneDrive account, that are uploaded there as particular person recordsdata with the .xlsx extension. The staging listing is cleared this fashion as soon as each 43,123 milliseconds in a separate thread occasion, as additionally seen in Determine 6.
Community communication
For C&C communication and exfiltration, OilBooster makes use of the Microsoft Graph API to entry the shared OneDrive account, utilizing quite a lot of HTTP GET, POST, PUT, and DELETE requests to the graph.microsoft.com host over the usual 443 port. For brevity, we may even refer to those requests as OneDrive API requests. The encrypted communication is facilitated by the statically linked OpenSSL library, which handles the SSL communication.
To authenticate with the OneDrive account, OilBooster first obtains the OAuth2 entry token from the Microsoft identification platform (the authorization server) by sending a POST request with the next physique over port 443 to login.microsoftonline.com/frequent/oauth2/v2.0/token, utilizing hardcoded credentials:
client_id=860b23a7-d484-481d-9fea-d3e6e129e249
&redirect_uri=https://login.stay.com/oauth20_desktop.srf
&client_secret=<redacted>
&refresh_token=<redacted>
&grant_type=refresh_tokenOilBooster obtains a brand new entry token this fashion, which will probably be used within the Authorization header of the following OneDrive API requests, together with a brand new refresh token. OilBooster additionally has a backup channel to request a brand new refresh token from its C&C server after 10 consecutive unsuccessful connections to the OneDrive server. As proven in Determine 7, the brand new token could be acquired by sending a easy HTTP GET request on port 80 to host1[.]com/rt.ovf (a professional, probably compromised web site), which must be adopted by the brand new refresh token in cleartext within the HTTP response.
The varied community connections made by OilBooster are summarized in Determine 8.
Downloader loop
Within the downloader loop, OilBooster repeatedly connects to the shared OneDrive account to receive a listing of recordsdata with the .docx and .doc extensions within the victim-specific subdirectory named <victimID>/objects/ by sending an HTTP GET request over port 443 to this URL:
graph.microsoft.com/v1.0/me/drive/root:/<victimID>/objects:/youngsters?$filter=endsWith(title,’.doc’)%20orpercent20endsWith(title,’.docx’)&$choose=id,title,file
If the connection just isn’t profitable (the HTTP_STATUS_DENIED response standing) after 10 makes an attempt, OilBooster connects to its fallback C&C server, host1[.]com/rt.ovf, to accumulate a brand new refresh token, as mentioned earlier.
Alternatively, if the desired listing doesn’t but exist (HTTP_STATUS_NOT_FOUND), OilBooster first registers the sufferer on the shared OneDrive account by sending an HTTP POST request over port 443 to this URL: graph.microsoft.com/v1.0/me/drive/objects/root:/<victimID>:/youngsters with the JSON string {“title”: “objects”,”folder”:{}} because the request physique, as proven in Determine 9. This request creates the entire listing construction <victimID>/objects on the similar time, which is able to later be utilized by the attackers to retailer instructions and extra payloads disguised as .doc and .docx recordsdata.
On subsequent connections (with HTTP_STATUS_OK), OilBooster processes these recordsdata to extract and execute payloads. OilBooster first downloads every file from the OneDrive account and deletes it from OneDrive after processing the file.
Lastly, after going via all of the .doc and .docx recordsdata downloaded from the OneDrive subdirectory, OilBooster data the final connection timestamp (the present GMT time) by creating a brand new file named setting.ini within the sufferer’s OneDrive subdirectory, through an HTTP PUT request on port 443 made to this URL: graph.microsoft.com/v1.0/me/drive/root:/<victimID>/setting.ini:/content material.
Processing .doc recordsdata
Recordsdata with the .doc extension downloaded from the shared OneDrive account are actually JSON recordsdata with encrypted instructions to be executed on the compromised host. As soon as a <filename>.doc is downloaded, OilBooster parses the values named s (a part of the decryption key) and c (encrypted command) from the file content material. It first base64 decodes, then XOR decrypts the c worth, utilizing a key that’s created by appending the final two characters of the s worth to the final two characters of <filename>.
After decryption, OilBooster executes the command line in a brand new thread utilizing the CreateProcessW API, and reads the command end result through an unnamed pipe linked to the method. OilBooster then uploads the command end result to the shared OneDrive account as a brand new file named <filename>.xls by sending an HTTP PUT request over port 443 to graph.microsoft.com/v1.0/me/drive/root:/<victimID>/objects/<filename>.xls:/content material.
Processing .docx recordsdata
Recordsdata with the .docx extension downloaded from the shared OneDrive account are actually compressed and encrypted recordsdata named <filename>.<authentic extension>.docx that will probably be dropped and unpacked on the compromised system. OilBooster first downloads the encrypted file to the native listing named <currentdir>objects, utilizing the unique full filename.
Within the subsequent step, it reads and decrypts the file content material utilizing an XOR cipher with .<authentic extension> because the decryption key, and drops it in the identical listing right into a file named <filename>.<authentic extension>.doc, whereas the primary one is deleted. Lastly, OilBooster reads and gzip decompresses the decrypted file, drops the lead to the identical listing as a file named <filename>.<authentic extension>, and deletes the opposite one.
Word the pointless creation of a number of recordsdata within the course of – that is typical for OilRig. We beforehand described the group’s noisy operations on compromised hosts in its Out to Sea marketing campaign.
Exfiltration loop
Within the exfiltration thread, OilBooster loops over the contents of the native listing named <currentdir>tempFiles, and uploads the file contents to the sufferer’s folder on the shared OneDrive account. Every file is processed on this approach:
- OilBooster gzip compresses the unique file <filename>.<authentic extension> and writes the end result to a file named <filename>.<authentic extension>.xlsx in the identical listing.
- It then encrypts the compressed file utilizing an XOR cipher and .<authentic extension> as the important thing. If there isn’t any file extension, 4cx is used because the default key.
Lastly, the encrypted file is uploaded to the OneDrive account, and the native file is deleted.
ODAgent downloader: OilBooster’s precursor
ODAgent is a C#/.NET software that makes use of the Microsoft Graph API to entry an attacker-controlled OneDrive account for C&C communication and exfiltration – briefly, ODAgent is loosely a C#/.NET precursor of OilBooster. Just like OilBooster, ODAgent repeatedly connects to the shared OneDrive account and lists the contents of the victim-specific folder to acquire extra payloads and backdoor instructions.
As proven in Determine 10, ODAgent then parses the metadata for every distant file. Subsequently, it makes use of the worth of the mimeType key related to the file to differentiate between backdoor instructions (formatted as JSON recordsdata) and encrypted payloads – that is not like OilBooster, which makes use of file extensions for that distinction. After processing a file regionally, ODAgent deletes the unique from the distant OneDrive listing through the OneDrive API.
If the downloaded file is a JSON file, ODAgent parses the a1 (command ID), a2 (encrypted backdoor command) and a3 (secret) arguments. It first derives the session key by XORing the supplied secret with the hardcoded worth 15a49w@]. Then, it base64 decodes and XOR decrypts the backdoor command utilizing this session key. Desk 3 lists all backdoor instructions supported by ODAgent.
Desk 3. Backdoor instructions supported by ODAgent
Backdoor command | Description |
odt> | Returns the trail to the present working listing. |
dly><delaytime> | Configures the variety of seconds to attend after every connection to <delaytime>. |
<commandline> | Executes the desired <commandline> through the native API and returns the command output. |
Different (non-JSON) recordsdata downloaded from the shared OneDrive account are recordsdata and extra payloads, each encrypted. ODAgent XOR decrypts these recordsdata with the hardcoded key 15a49w@], and drops them within the native <currentdir>o listing beneath the identical filename. If the unique file has a .c extension, its content material can be gzip decompressed (and the extension is then dropped from the filename).
On the finish of every connection, ODAgent uploads the contents of the native listing <currentdir>i to the <victimID>/i listing on the shared OneDrive account, preserving the unique filenames with the added .c extension.
Conclusion
All through 2022, OilRig developed a sequence of recent downloaders, all utilizing quite a lot of professional cloud storage and cloud-based electronic mail companies as their C&C and exfiltration channels. These downloaders have been deployed solely towards targets in Israel – typically towards the identical targets inside a number of months. As all of those targets have been beforehand affected by different OilRig instruments, we conclude that OilRig makes use of this class of light-weight however efficient downloaders as its instrument of selection to take care of entry to networks of curiosity.
These downloaders share similarities with MrPerfectionManager and PowerExchange backdoors, different latest additions to OilRig’s toolset that use email-based C&C protocols – besides that SC5k, OilBooster, ODAgent, and OilCheck use attacker-controlled cloud service accounts, reasonably than the sufferer’s inside infrastructure. All these actions affirm an ongoing change to professional cloud service suppliers for C&C communication, as a technique to conceal the malicious communication and masks the group’s community infrastructure.
On par with the remainder of OilRig’s toolset, these downloaders usually are not significantly subtle, and are, once more, unnecessarily noisy on the system. Nevertheless, the continual growth and testing of recent variants, the experimenting with varied cloud companies and completely different programming languages, and the dedication to re-compromise the identical targets time and again, makes OilRig a gaggle to be careful for.
For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Analysis presents personal APT intelligence experiences and information feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.
IoCs
Recordsdata
SHA-1 | Filename | Detection | Description |
0F164894DC7D8256B66D0EBAA7AFEDCF5462F881 | CCLibrary.exe | MSIL/OilRig.A | OilRig downloader – SC5k v1. |
2236D4DCF68C65A822FF0A2AD48D4DF99761AD07 | acrotray.exe | MSIL/OilRig.D | OilRig downloader – SC5k v1. |
35E0E78EC35B68D3EE1805EECEEA352C5FE62EB6 | mscom.exe | MSIL/OilRig.D | OilRig downloader – SC5k v1. |
51B6EC5DE852025F63740826B8EDF1C8D22F9261 | CCLibrary.exe | MSIL/OilRig.A | OilRig downloader – SC5k v1. |
6001A008A3D3A0C672E80960387F4B10C0A7BD9B | acrotray.exe | MSIL/OilRig.D | OilRig downloader – SC5k v1. |
7AD4DCDA1C65ACCC9EF1E168162DE7559D2FDF60 | AdobeCE.exe | MSIL/OilRig.D | OilRig downloader – SC5k v1. |
BA439D2FC3298675F197C8B17B79F34485271498 | AGSService.exe | MSIL/OilRig.D | OilRig downloader – SC5k v1. |
BE9B6ACA8A175DF61F2C75932E029F19789FD7E3 | CCXProcess.exe | MSIL/OilRig.A | OilRig downloader – SC5k v1. |
C04F874430C261AABD413F27953D30303C382953 | AdobeCE.exe | MSIL/OilRig.A | OilRig downloader – SC5k v1. |
C225E0B256EDB9A2EA919BACC62F29319DE6CB11 | mscom.exe | MSIL/OilRig.A | OilRig downloader – SC5k v1. |
E78830384FF14A58DF36303602BC9A2C0334A2A4 | armsvc.exe | MSIL/OilRig.D | OilRig downloader – SC5k v1. |
EA8C3E9F418DCF92412EB01FCDCDC81FDD591BF1 | node.exe | MSIL/OilRig.D | OilRig downloader – SC5k v1. |
1B2FEDD5F2A37A0152231AE4099A13C8D4B73C9E | consoleapp.exe | Win64/OilBooster.A | OilRig downloader – OilBooster. |
3BF19AE7FB24FCE2509623E7E0D03B5A872456D4 | owa.service.exe | MSIL/OilRig.D | OilRig downloader – SC5k v2. |
AEF3140CD0EE6F49BFCC41F086B7051908B91BDD | owa.service.exe | MSIL/OilRig.D | OilRig downloader – SC5k v2. |
A56622A6EF926568D0BDD56FEDBFF14BD218AD37 | owa.service.exe | MSIL/OilRig.D | OilRig downloader – SC5k v2. |
AAE958960657C52B848A7377B170886A34F4AE99 | LinkSync.exe | MSIL/OilRig.F | OilRig downloader – SC5k v3. |
8D84D32DF5768B0D4D2AB8B1327C43F17F182001 | AppLoader.exe | MSIL/OilRig.M | OilRig downloader – OilCheck. |
DDF0B7B509B240AAB6D4AB096284A21D9A3CB910 | CheckUpdate.exe | MSIL/OilRig.M | OilRig downloader – OilCheck. |
7E498B3366F54E936CB0AF767BFC3D1F92D80687 | ODAgent.exe | MSIL/OilRig.B | OilRig downloader – ODAgent. |
A97F4B4519947785F66285B546E13E52661A6E6F | N/A | MSIL/OilRig.N | Assist utility utilized by OilRig’s OilCheck downloader – CmEx. |
Community
IP | Area | Internet hosting supplier | First seen | Particulars |
188.114.96[.]2 | host1[.]com | Cloudflare, Inc. | 2017-11-30 | A professional, probably compromised web site misused by OilRig as a fallback C&C server. |
MITRE ATT&CK strategies
This desk was constructed utilizing model 14 of the MITRE ATT&CK framework.
Tactic | ID | Identify | Description |
Useful resource Improvement | Purchase Infrastructure: Domains | OilRig has registered a website to be used in C&C communications. | |
Purchase Infrastructure: Server | OilRig has acquired a server for use as a backup channel for the OilBooster downloader. | ||
Purchase Infrastructure: Net Companies | OilRig has arrange Microsoft Workplace 365 OneDrive and Outlook accounts, and presumably different Change accounts to be used in C&C communications. | ||
Develop Capabilities: Malware | OilRig has developed quite a lot of customized downloaders to be used in its operations: SC5k variations, OilCheck, ODAgent, and OilBooster. | ||
Set up Accounts: Cloud Accounts | OilRig operators have created new OneDrive accounts to be used of their C&C communications. | ||
Set up Accounts: E-mail Accounts | OilRig operators have registered new Outlook, and presumably different, electronic mail addresses to be used of their C&C communications. | ||
Stage Capabilities | OilRig operators have staged malicious elements and backdoor instructions in professional Microsoft Workplace 365 OneDrive and Outlook, and different Microsoft Change accounts. | ||
Execution | Command and Scripting Interpreter: Home windows Command Shell | SC5k v1 and v2 use cmd.exe to execute instructions on the compromised host. | |
Native API | OilBooster makes use of the CreateProcessW API capabilities for execution. | ||
Protection Evasion | Deobfuscate/Decode Recordsdata or Data | OilRig’s downloaders use string stacking to obfuscate embedded strings, and the XOR cipher to encrypt backdoor instructions and payloads. | |
Execution Guardrails | OilRig’s OilBooster requires an arbitrary command line argument to execute the malicious payload. | ||
Cover Artifacts: Hidden Window | Upon execution, OilBooster hides its console window. | ||
Indicator Elimination: File Deletion | OilRig’s downloaders delete native recordsdata after a profitable exfiltration, and delete recordsdata or electronic mail drafts from the distant cloud service account after these have been processed on the compromised system. | ||
Oblique Command Execution | SC5k v3 and OilCheck use customized command interpreters to execute recordsdata and instructions on the compromised system. | ||
Masquerading: Match Legit Identify or Location | OilBooster mimics professional paths. | ||
Obfuscated Recordsdata or Data | OilRig has used varied strategies to obfuscate strings and payloads embedded in its downloaders. | ||
Discovery | System Data Discovery | OilRig’s downloaders receive the compromised laptop title. | |
System Proprietor/Consumer Discovery | OilRig’s downloaders receive the sufferer’s username. | ||
Assortment | Archive Collected Information: Archive through Customized Methodology | OilRig’s downloaders gzip compress information earlier than exfiltration. | |
Information Staged: Native Information Staging | OilRig’s downloaders create central staging directories to be used by different OilRig instruments and instructions. | ||
Command and Management | Information Encoding: Commonplace Encoding | OilRig’s downloaders base64 decode information earlier than sending it to the C&C server. | |
Encrypted Channel: Symmetric Cryptography | OilRig’s downloaders use the XOR cipher to encrypt information in C&C communication. | ||
Fallback Channels | OilBooster can use a secondary channel to acquire a brand new refresh token to entry the shared OneDrive account. | ||
Ingress Device Switch | OilRig’s downloaders have the aptitude to obtain extra recordsdata from the C&C server for native execution. | ||
Net Service: Bidirectional Communication | OilRig’s downloaders use professional cloud service suppliers for C&C communication. | ||
Exfiltration | Automated Exfiltration | OilRig’s downloaders routinely exfiltrate staged recordsdata to the C&C server. | |
Exfiltration Over C2 Channel | OilRig’s downloaders use their C&C channels for exfiltration. | ||
Exfiltration Over Net Service: Exfiltration to Cloud Storage | OilBooster and ODAgent exfiltrate information to shared OneDrive accounts. | ||
Exfiltration Over Net Service | SC5k and OilCheck exfiltrate information to shared Change and Outlook accounts. |
