The prolific APT repeatedly compromised targets in healthcare, manufacturing, and government with new lightweight downloaders that blend into network traffic for evasion.
December 14, 2023 By Elizabeth Montalbano
SOURCE: ZOONAR GMBH VIA ALAMY STOCK PHOTO
Prolific Iranian advanced persistent threat group (APT) OilRig has repeatedly targeted several Israeli organizations throughout 2022 in cyberattacks that were notable for leveraging a series of custom downloaders that use legitimate Microsoft cloud services to conduct attacker communications and exfiltrate data.
OilRig (aka APT34, Helix Kitten, Cobalt Gypsym, Lyceum, Crambus or Siamesekitten) in the attacks deployed four specific new downloaders — SampleCheck5000 (SC5k v1-v3), ODAgent, OilCheck, and OilBooster — that were developed in the last year, adding the tools to the group's already large arsenal of custom malware, ESET researchers revealed in a blog post published Dec. 14.
Unique to the way the downloaders work versus other OilRig tools is that they use various legitimate cloud services — including Microsoft OneDrive, Microsoft Graph OneDrive API, Microsoft Graph Outlook API, and Microsoft Office EWS API — for command-and-control communications (C2) and data exfiltration, the researchers said.
Attack targets so far have included a healthcare organization, a manufacturing company, a local governmental organization, and several other unidentified organizations, all in Israel and most of them previous targets for the APT.
