OilRig | APT Profile

Description

[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: Unit 42 QUADAGENT July 2018)

Techniques Used (TTPs)

T1588.003 — Code Signing Certificates (resource-development)
T1555.004 — Windows Credential Manager (credential-access)
T1082 — System Information Discovery (discovery)
T1003.001 — LSASS Memory (credential-access)
T1008 — Fallback Channels (command-and-control)
T1071.001 — Web Protocols (command-and-control)
T1005 — Data from Local System (collection)
T1059.003 — Windows Command Shell (execution)
T1021.001 — Remote Desktop Protocol (lateral-movement)
T1505.003 — Web Shell (persistence)
T1587.001 — Malware (resource-development)
T1608.001 — Upload Malware (resource-development)
T1036 — Masquerading (defense-evasion)
T1219 — Remote Access Tools (command-and-control)
T1218.001 — Compiled HTML File (defense-evasion)
T1046 — Network Service Discovery (discovery)
T1087.001 — Local Account (discovery)
T1137.004 — Outlook Home Page (persistence)
T1069.002 — Domain Groups (discovery)
T1113 — Screen Capture (collection)
T1025 — Data from Removable Media (collection)
T1007 — System Service Discovery (discovery)
T1556.002 — Password Filter DLL (credential-access, defense-evasion, persistence)
T1059.001 — PowerShell (execution)
T1070.004 — File Deletion (defense-evasion)
T1588.002 — Tool (resource-development)
T1204.002 — Malicious File (execution)
T1133 — External Remote Services (persistence, initial-access)
T1078.002 — Domain Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1201 — Password Policy Discovery (discovery)
T1586.002 — Email Accounts (resource-development)
T1087.002 — Domain Account (discovery)
T1003.004 — LSA Secrets (credential-access)
T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
T1553.002 — Code Signing (defense-evasion)
T1048.003 — Exfiltration Over Unencrypted Non-C2 Protocol (exfiltration)
T1110 — Brute Force (credential-access)
T1059.005 — Visual Basic (execution)
T1566.002 — Spearphishing Link (initial-access)
T1112 — Modify Registry (defense-evasion, persistence)
T1120 — Peripheral Device Discovery (discovery)
T1071.004 — DNS (command-and-control)
T1105 — Ingress Tool Transfer (command-and-control)
T1049 — System Network Connections Discovery (discovery)
T1543.003 — Windows Service (persistence, privilege-escalation)
T1195 — Supply Chain Compromise (initial-access)
T1204.001 — Malicious Link (execution)
T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1573.002 — Asymmetric Cryptography (command-and-control)
T1562.004 — Disable or Modify System Firewall (defense-evasion)
T1566.001 — Spearphishing Attachment (initial-access)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1119 — Automated Collection (collection)
T1583.001 — Domains (resource-development)
T1056.001 — Keylogging (collection, credential-access)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1033 — System Owner/User Discovery (discovery)
T1566.003 — Spearphishing via Service (initial-access)
T1572 — Protocol Tunneling (command-and-control)
T1047 — Windows Management Instrumentation (execution)
T1021.004 — SSH (lateral-movement)
T1555 — Credentials from Password Stores (credential-access)
T1115 — Clipboard Data (collection)
T1003.005 — Cached Domain Credentials (credential-access)
T1027.013 — Encrypted/Encoded File (defense-evasion)
T1069.001 — Local Groups (discovery)
T1552.001 — Credentials In Files (credential-access)
T1057 — Process Discovery (discovery)
T1555.003 — Credentials from Web Browsers (credential-access)
T1016 — System Network Configuration Discovery (discovery)
T1203 — Exploitation for Client Execution (execution)
T1012 — Query Registry (discovery)
T1059 — Command and Scripting Interpreter (execution)
T1497.001 — System Checks (defense-evasion, discovery)
T1068 — Exploitation for Privilege Escalation (privilege-escalation)
T1027.005 — Indicator Removal from Tools (defense-evasion)

Total TTPs: 76

Malware & Tools

Malware: BONDUPDATER, Helminth, ISMInjector, Mango, ODAgent, OilBooster, OilCheck, OopsIE, POWRUNER, PowerExchange, QUADAGENT, RDAT, RGDoor, SEASHARPEE, SampleCheck5000, SideTwist, Solar, ZeroCleare

Tools: LaZagne, Mimikatz, Net, PsExec, Reg, Systeminfo, Tasklist, certutil, ftp, ipconfig, netstat, ngrok

← Return to Home ← Back to APT Search