December 14, 2023 at 11:28AM
Iranian APT group OilRig has targeted Israeli organizations in 2022 through cyberattacks leveraging custom downloaders. These downloaders, using legitimate Microsoft cloud services, facilitated command-and-control communications and data exfiltration. ESET researchers warned that OilRig’s continuous development of new variants makes them a formidable threat, specializing in cyber espionage primarily in the Middle East.
Based on the meeting notes, here are the key takeaways:
1. OilRig, also known as APT34, has been targeting Israeli organizations with cyberattacks in 2022. They have used custom downloaders that leverage legitimate Microsoft cloud services for communications and data exfiltration.
2. The group has deployed four specific new downloaders called SampleCheck5000 (SC5k v1-v3), ODAgent, OilCheck, and OilBooster, adding to their already large arsenal of custom malware.
3. The downloaders utilize various legitimate cloud services such as Microsoft OneDrive, Microsoft Graph OneDrive API, Microsoft Graph Outlook API, and Microsoft Office EWS API for command-and-control communication and data exfiltration.
4. OilRig primarily operates in the Middle East and has targeted organizations in industries including chemical, energy, financial, and telecommunications.
5. OilRig has been persistent in targeting the same organizations and has been determined to maintain its presence in compromised networks.
6. The downloaders have different functionalities and are written in C++/.NET, with some using shared email or cloud storage accounts to exchange messages with the operators.
7. ESET has identified indicators of compromise (IoC) based on the MITRE ATT&CK framework to help potential targets identify potential compromises by the latest string of attacks.
These takeaways provide a clear summary of the meeting notes and the activities of the OilRig APT group. Let me know if you need further details or additional analysis.