OilRig is a threat group with suspected Iranian origins that target the Middle East and international victims. A recent report by Palo Alto describes a new set of tools and tactics that Oil Rig Campaign has adopted. The attack is classified under nation-state sponsored attack and is also known as APT34 or Helix Kitten. The name given to the PowerShell backdoor is QUADAGENT. This tool is one of the many custom-built tool that the Oil Rig campaign uses. The threat actors are said to use an open-source toolkit to achieve obfuscation. The mode of attack being spear-phishing remains the same as that of the previous attacks involving the use of malicious macro-document. This campaign made use of a document named “ThreeDollars” for delivering the payload embedded in the phishing mail. Please follow this document to know more about the IOC regarding Oil Rig.
Indicators of Compromise
SHA 256 Hashes
QUADAGENT
d948d5b3702e140ef5b9247d26797b6dcdfe4fdb6f367bb217bc6b5fc79df520
d7130e42663e95d23c547d57e55099c239fa249ce3f6537b7f2a8033f3aa73de
5f001f3387ddfc0314446d0c950da2cec4c786e2374d42beb3acce6883bb4e63
THREEDOLLARS
1f6369b42a76d02f32558912b57ede4f5ff0a90b18d3b96a4fe24120fa2c300c
119c64a8b35bd626b3ea5f630d533b2e0e7852a4c59694125ff08f9965b5f9cc
Malicious Domains
• rdppath[.]com
• cpuproc[.]com
• acrobatverify[.]com
Malicious Filenames
• Office365DCOMCheck.ps1
• Office365DCOMCheck.vbs
SystemDiskClean.ps1
• SystemDiskClean.vbs
• AdobeAcrobatLicenseVerify.ps1
• C:\Users\<username>\AppData\Roaming\Out.jpg
References
[1] OilRig Targets Technology Service Provider and Government Agency with QUADAGENT
[2] OilRig hacker group targets the Middle East with the QUADAGENT backdoor malware
[3] About the security content of macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan
https://support.apple.com/en-us/HT208937
[4] OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan