Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/21/2017
10:00 AM
James Carder
James Carder
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
100%
0%

Report: ‘OilRig' Attacks Expanding Across Industries, Geographies

Malware targets Middle Eastern airlines, government, financial industries and critical infrastructure with a simple but powerful backdoor created by infected Excel files attached to phishing emails.

New research released by LogRhythm Labs offers details behind the malware campaign commonly referred to as “OilRig,” including the tools, techniques, and procedures (TTPs) used to compromise security operations centers of government, financial, airline and critical infrastructure entities located primarily in the Mideast.

Unlike earlier threat intelligence reports, which addressed only a few indicators of compromise by OilRig, this new research specifies the full front-end infrastructure of the campaign, including malware associated with initial compromise (stage 1 droppers) and a significant number of indicators that have yet to be made publicly available.  

Cyberattacks attributed to OilRig first surfaced in late 2015. Since then, the threat intelligence community identified two periods of high activity following the initial attack: in May and October 2016.

All known samples from these efforts used infected Excel files attached to phishing emails to infect victims, such as the phishing email — shown below — that appeared to be sent to an organization within the Turkish government. Once infected, the victim machine can be controlled by the attacker to perform basic remote-access Trojan-like tasks, including command execution and file upload and download.

Spear Phishing Example (Source: LogRhythm Labs)
Spear Phishing Example (Source: LogRhythm Labs)

Moving Targets
Early attacks focused on Middle Eastern banks, government entities and critical infrastructure entities. However, targets have expanded both geographically and by industry over time. For example, the October 2016 attacks targeted companies in the U.S., as well government organizations, companies and government-owned companies in Saudi Arabia, United Arab Emirates, Qatar, Turkey and Israel. OilRig also expanded its aim to include a number of Middle Eastern airlines.

History suggests this attacker is most interested in espionage, rather than other malicious activities such as theft of intellectual property. However, it is also likely that the attacker will continue to expand to other industries. 

Malware Submission by Country
The origin of the malware submissions, obtained through analysis of threat intelligence data, revealed both targeted countries and those countries that are likely performing analysis on this campaign group. For example, Saudi Arabia — with 22 unique submissions — likely contains the majority of targeted organizations by this actor group. Separately, representation from Great Britain and the United States, with 11 and 9 different submissions of malware respectively, likely reflects their analysis on this campaign rather than being direct targets.

Other countries of note include United Arab Emirates, Qatar, Israel, Turkey, and Azerbaijan. While the report doesn’t fully confirm that this actor group attacked organizations from each of these countries, there are several indicators that support this conclusion. Filenames such as "TurkishAirline_Offers.xls" and "Israel Airlines.xls" make a strong correlation that these organizations were targets at one point.

Malware Submission Analysis
The LogRhythm Labs team identified 23 unique, weaponized, Microsoft Excel files that contained OilRig malware. Based on the filenames used, their country of origin, when they were identified, and the command and control method, it was determined that nearly all samples fell into one of four groups. A representative sample from each of these groups was analyzed, in detail, in the report.

When the weaponized documents are executed, most malware samples use VisualBasic for application payload to infect a system with PowerShell (.ps1) and VisualBasic scripts. The malware achieves persistence by Microsoft Scheduled Tasks, and its capabilities include very basic command execution, file upload and file download capability.

Communication Analysis
Command and control mechanisms exist for both HTTP as well as a stealthier DNS-based C2 and data infiltration/exfiltration mechanisms. The malware uses a customized UDP packet or DNS record query and response pattern for command and control and includes basic upload, download, and arbitrary command execution functionality. LogRhythm Labs’ full report outlines analysis of the methodology, and includes detection and remediation details.  

While not overly sophisticated, OilRig attacks are highly effective. The attacker has created a simple, powerful backdoor using infected Excel files laced with malicious VBA, VBS, and PowerShell code. To date, the attacker has primarily used Excel files attached to spear phishing emails for malicious payload delivery. However, this attack could be easily incorporated into many different file formats that could also be attached to phishing emails.

Despite the fact that only a few industries have been targeted by this campaign, this code is widely known, which means other threat actors could incorporate it into their own campaigns and target different countries or industries. Given this, it would be wise for security analysts to guard against similar attacks regardless of their industry or location. 

Related Content:

 

James Carder is the CISO and VP of Labs for LogRhythm and an IDSA Customer Advisory Board Member. He brings more than 22 years of experience working in corporate security and consulting for the Fortune 500 and US government. At LogRhythm, he oversees the company's governance, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.
CVE-2019-19635
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19636
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c.