OilRig

OilRig is an Iranian threat actor group that has targeted various victims since 2014. Targeted industries have included government, energy, chemical, finance, and banking. In addition, threat researchers have noted that OilRig executes campaigns closely aligned with Iranian government interests. OilRig is also called IRN2, APT34, Helix Kitten, and Cobalt Gypsy.

Threat researchers have generally assessed that OilRig works on behalf of the Iranian government based on targeting that aligns with nation-state interests. In addition, it appears the OilRig group carries out supply chain attacks, leveraging the close relationship between organizations with a common supply chain.

OilRig has recently been known to use a backdoor called RDAT. The RDAT backdoor has evolved to gain new features and capabilities since first used by the OilRig threat actors. While most of us have heard of steganography, very few of us have observed the use of steganography to support recent threat actor campaign activity. Steganography is the cyber threat to hide malicious files within seemingly innocuous file formats, predominantly those associated with bit-mapped images. These images can be attached to an email, and the hidden malicious code is not easily discerned or found by most existing security controls that perform email scanning, etc. In addition to RDAT, OilRig has been observed using customized Mimikatz tools and utilities for gathering credentials. OilRig has also used PowerShell downloaders to assist with the post-exploitation activity.

OilRig is quite proficient in using social media to support early attack activity. OilRig operatives will impersonate members of groups that are likely to gain the trust and goodwill of targeted organizations. Once malicious documents are distributed via social media such as LinkedIn, OilRig’s compromise and associated kill chain unfold rapidly. Once the victim executes the malware, OilRig’s operatives can establish persistence, link up with the command-and-control server, and continue reconnaissance within the targeted organization’s networks.

Finally, OilRig has also been known to use QuadAgent, a PowerShell-based backdoor, against targeted organizations.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.