“`
ESET Researchers Report: OilRig’s Cloud Service-Powered Downloaders
ESET researchers recently analyzed a series of OilRig downloaders that the group has utilized in 2022 to maintain access to target organizations in Israel. Several lightweight downloaders, including SampleCheck5000 (SC5k v1-v3), OilCheck, ODAgent, and OilBooster, were found to use legitimate cloud service APIs for C&C communication and data exfiltration. These APIs include the Microsoft Graph OneDrive or Outlook APIs, and the Microsoft Office Exchange Web Services (EWS) API.
All the downloaders use a shared OilRig-operated account to exchange messages with the operators and are typically shared by multiple victims. The downloaders access this account to download commands and additional payloads staged by the operators and to upload command output and staged files. The earliest of the series, SC5k (v1) downloader, was discovered in November 2021 during OilRig’s Outer Space campaign. The group continued to develop new variations of the downloaders throughout 2022, targeting Israeli organizations in sectors such as healthcare, manufacturing, and local government.
OilRig, also known as APT34, Lyceum, Crambus, or Siamesekitten, is believed to be based in Iran and has been active since at least 2014. The group has targeted Middle Eastern governments and various business verticals, including chemical, energy, financial, and telecommunications. The group has been behind several cyberespionage campaigns, including DNSpionage, HardPass, DanBot, and more recently, Solar and Mango.
OilRig’s cloud service-powered downloaders have been deployed against a limited number of Israeli organizations, persistently targeting victims previously affected by other OilRig tools. These downloaders blend into regular network traffic due to their use of Office 365 resources, making it easier for attackers to maintain a foothold in the compromised networks.
For a more in-depth technical analysis of the downloaders and how they interact with cloud-based services, please refer to the ESET Threat Report for T3 2021 and our LABScon 2023 presentation.
“`