Threat Intelligence
3/21/2017
10:00 AM
James Carder
James Carder
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
100%
0%

Report: OilRig' Attacks Expanding Across Industries, Geographies

Malware targets Middle Eastern airlines, government, financial industries and critical infrastructure with a simple but powerful backdoor created by infected Excel files attached to phishing emails.

New research released by LogRhythm Labs offers details behind the malware campaign commonly referred to as “OilRig,” including the tools, techniques, and procedures (TTPs) used to compromise security operations centers of government, financial, airline and critical infrastructure entities located primarily in the Mideast.

Unlike earlier threat intelligence reports, which addressed only a few indicators of compromise by OilRig, this new research specifies the full front-end infrastructure of the campaign, including malware associated with initial compromise (stage 1 droppers) and a significant number of indicators that have yet to be made publicly available.  

Cyberattacks attributed to OilRig first surfaced in late 2015. Since then, the threat intelligence community identified two periods of high activity following the initial attack: in May and October 2016.

All known samples from these efforts used infected Excel files attached to phishing emails to infect victims, such as the phishing email — shown below — that appeared to be sent to an organization within the Turkish government. Once infected, the victim machine can be controlled by the attacker to perform basic remote-access Trojan-like tasks, including command execution and file upload and download.

Spear Phishing Example (Source: LogRhythm Labs)
Spear Phishing Example (Source: LogRhythm Labs)

Moving Targets
Early attacks focused on Middle Eastern banks, government entities and critical infrastructure entities. However, targets have expanded both geographically and by industry over time. For example, the October 2016 attacks targeted companies in the U.S., as well government organizations, companies and government-owned companies in Saudi Arabia, United Arab Emirates, Qatar, Turkey and Israel. OilRig also expanded its aim to include a number of Middle Eastern airlines.

History suggests this attacker is most interested in espionage, rather than other malicious activities such as theft of intellectual property. However, it is also likely that the attacker will continue to expand to other industries. 

Malware Submission by Country
The origin of the malware submissions, obtained through analysis of threat intelligence data, revealed both targeted countries and those countries that are likely performing analysis on this campaign group. For example, Saudi Arabia — with 22 unique submissions — likely contains the majority of targeted organizations by this actor group. Separately, representation from Great Britain and the United States, with 11 and 9 different submissions of malware respectively, likely reflects their analysis on this campaign rather than being direct targets.

Other countries of note include United Arab Emirates, Qatar, Israel, Turkey, and Azerbaijan. While the report doesn’t fully confirm that this actor group attacked organizations from each of these countries, there are several indicators that support this conclusion. Filenames such as "TurkishAirline_Offers.xls" and "Israel Airlines.xls" make a strong correlation that these organizations were targets at one point.

Malware Submission Analysis
The LogRhythm Labs team identified 23 unique, weaponized, Microsoft Excel files that contained OilRig malware. Based on the filenames used, their country of origin, when they were identified, and the command and control method, it was determined that nearly all samples fell into one of four groups. A representative sample from each of these groups was analyzed, in detail, in the report.

When the weaponized documents are executed, most malware samples use VisualBasic for application payload to infect a system with PowerShell (.ps1) and VisualBasic scripts. The malware achieves persistence by Microsoft Scheduled Tasks, and its capabilities include very basic command execution, file upload and file download capability.

Communication Analysis
Command and control mechanisms exist for both HTTP as well as a stealthier DNS-based C2 and data infiltration/exfiltration mechanisms. The malware uses a customized UDP packet or DNS record query and response pattern for command and control and includes basic upload, download, and arbitrary command execution functionality. LogRhythm Labs’ full report outlines analysis of the methodology, and includes detection and remediation details.  

While not overly sophisticated, OilRig attacks are highly effective. The attacker has created a simple, powerful backdoor using infected Excel files laced with malicious VBA, VBS, and PowerShell code. To date, the attacker has primarily used Excel files attached to spear phishing emails for malicious payload delivery. However, this attack could be easily incorporated into many different file formats that could also be attached to phishing emails.

Despite the fact that only a few industries have been targeted by this campaign, this code is widely known, which means other threat actors could incorporate it into their own campaigns and target different countries or industries. Given this, it would be wise for security analysts to guard against similar attacks regardless of their industry or location. 

Related Content:

 

James Carder brings more than 20 years of experience working in corporate IT security and consulting for the Fortune 500 and U.S. Government. At LogRhythm, he develops and maintains the company's security governance model and risk strategies, protects the confidentiality, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.