OilRig APT Significantly Evolves in Latest Critical Infrastructure Attacks

OilRig APT Significantly Evolves in Latest Critical Infrastructure Attacks

OilRig APT attacks are back, using a significantly more advanced malware toolkit than has been seen in the wild to date.

An Iran-linked APT group has been using OilRig to compromise critical infrastructure, banks, airlines and government entities since 2015 in a range of countries, including Saudi Arabia, Qatar, United Arab Emirates, Turkey, Kuwait, Israel, Lebanon and the United States. According to fresh analysis by Nyotron, the latest spate of attacks has been focused on a number of organizations across the Middle East and shows that the OilRig group has significantly evolved its tactics, techniques and procedures to include next-generation malware tools and new data exfiltration methods.

Some of the new tools are off-the-shelf, dual-purpose utilities, but others are previously unseen malware using Google Drive and SmartFile, as well as internet server API (ISAPI) filters for compromising Microsoft Internet Information Services (IIS) servers.

Nyotron said that for one, the group has built a sophisticated remote access Trojan (RAT) that uses Google Drive for command-and-control (C&C) purposes. It supports a variety of configuration settings, uses encryption and registers as a service: The malware simply retrieves commands from the attacker’s account on Google Drive and exfiltrates files to it.

Worryingly, at the time of the research, this RAT was not detectable by any antivirus engine that is part of VirusTotal.

The attackers also used a crafted RAT that leverages the public APIs of SmartFile.com, a file-sharing and transfer solution, as a C&C. This allows attackers to upload and download files to and from infected machines, as well as to run ad-hoc commands. At the time of the research, this tool generated just 1 out of 68 VirusTotal detections.

As for the ISAPI filters, the group is using them to extend the functionality of IIS servers. An ISAPI filter provides a more covert way to execute commands on a previously compromised machine versus using a web page, allowing the attacker to execute commands by accessing any path on the server. This approach is unique, and the researchers said it avoids detection by most, if not all, security products.

Nyotron said that it believes this is the first time the OilRig group has used ISAPI filters.

These three are the tip of the iceberg, researchers said: In total, the attackers are using about 20 different new tools.

“State attackers and advanced hacking groups are continually finding new approaches to augment previous successful attacks,” said Nir Gaist, founder and CTO of Nyotron. “This latest OilRig evolution serves as a reminder that security leaders need to strengthen their endpoint protection using the defense in-depth approach to safeguard against malware adopting next-generation tools and techniques.”

Source: Information Security Magazine