OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. (Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018) This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.
| Platform | Tactic | Technique | Description | Data Sources |
|---|---|---|---|---|
| Windows, macOS, Linux | initial-access | Spearphishing via Service | OilRig has used LinkedIn to send spearphishing links. | SSL/TLS inspection, Anti-virus, Web proxy |
| Linux, macOS, Windows | command-and-control | Commonly Used Port | OilRig has used port 80 to call back to the C2 server. | Packet capture, Netflow/Enclave netflow, Process use of network, Process monitoring |
| Linux, macOS, Windows, AWS, GCP, Azure | credential-access | Credentials in Files | OilRig has used tools named VALUEVAULT and PICKPOCKET to dump passwords from web browsers. | File monitoring, Process command-line parameters |
| Linux, Windows, macOS, AWS, GCP, Azure | discovery | Network Service Scanning | OilRig has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning. | Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process use of network |
| Windows | persistence, initial-access | External Remote Services | OilRig uses remote services such as VPN, Citrix, or OWA to persist in an environment. | Authentication logs |
| Windows, macOS, Linux | initial-access | Spearphishing Attachment | OilRig has sent spearphising emails with malicious attachments to potential victims using compromised and/or spoofed email accounts. | File monitoring, Packet capture, Network intrusion detection system, Detonation chamber, Email gateway, Mail server |
| Linux, macOS, Windows | collection | Screen Capture | OilRig has a tool called CANDYKING to capture a screenshot of user's desktop. | API monitoring, Process monitoring, File monitoring |
| Windows, macOS, Linux, Office 365, SaaS | initial-access | Spearphishing Link | OilRig has sent spearphising emails with malicious links to potential victims. | Packet capture, Web proxy, Email gateway, Detonation chamber, SSL/TLS inspection, DNS records, Mail server |
| Linux, macOS, Windows | command-and-control, lateral-movement | Remote File Copy | OilRig can download remote files onto victims. | File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring |
| Windows | execution | Windows Management Instrumentation | OilRig has used WMI for execution. | Authentication logs, Netflow/Enclave netflow, Process monitoring, Process command-line parameters |
| Windows | execution, persistence, privilege-escalation | Scheduled Task | OilRig has created scheduled tasks that run a VBScript to execute a payload on victim machines. | File monitoring, Process monitoring, Process command-line parameters, Windows event logs |
| Linux, macOS, Windows | collection, credential-access | Input Capture | OilRig has used keylogging tools called KEYPUNCH and LONGWATCH. | |
| Windows Registry, Kernel drivers, Process monitoring, API monitoring | ||||
| Linux, macOS, Windows, Office 365, Azure AD, SaaS | credential-access | Brute Force | OilRig has used brute force techniques to obtain credentials. | Office 365 account logs, Authentication logs |
| Linux, Windows, macOS | execution | User Execution | OilRig has delivered malicious links and macro-enabled documents that required targets to click the "enable content" button to execute the payload on the system. | Anti-virus, Process command-line parameters, Process monitoring |
| Linux, macOS, Windows | command-and-control | Standard Cryptographic Protocol | OilRig used the Plink utility and other tools to create tunnels to C2 servers. | Packet capture, Netflow/Enclave netflow, Malware reverse engineering, Process use of network, Process monitoring, SSL/TLS inspection |
| Windows | defense-evasion, execution | Compiled HTML File | OilRig has used a CHM payload to load and execute another malicious file once delivered to a victim. | File monitoring, Process monitoring, Process command-line parameters |
| Windows, Linux, macOS | discovery | Password Policy Discovery | OilRig has used net.exe in a script with net accounts /domain to find the password policy of a domain. |
Process command-line parameters, Process monitoring |
| Linux, macOS, Windows | discovery | Process Discovery | OilRig has run tasklist on a victim's machine. |
Process monitoring, Process command-line parameters |
| Windows | execution | PowerShell | OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents. | PowerShell logs, Loaded DLLs, DLL monitoring, Windows Registry, File monitoring, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | command-and-control | Custom Command and Control Protocol | OilRig has used custom DNS Tunneling protocols for C2. | Packet capture, Netflow/Enclave netflow, Process use of network, Process monitoring, Host network interface, Network intrusion detection system, Network protocol analysis |
| Windows | defense-evasion | Deobfuscate/Decode Files or Information | A OilRig macro has run a PowerShell command to decode file contents. OilRig has also used certutil to decode base64-encoded files on victims. | File monitoring, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | lateral-movement | Remote Services | OilRig has used Putty to access compromised systems. | Authentication logs |
| Linux, Windows, macOS | command-and-control | Fallback Channels | OilRig malware ISMAgent falls back to its DNS tunneling mechanism if it is unable to reach the C2 server over HTTP. | Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network |
| Linux, macOS, Windows, AWS, GCP, Azure, Office 365, SaaS, Azure AD | defense-evasion, persistence | Redundant Access | OilRig has used RGDoor via Web shell to establish redundant access. The group has also used harvested credentials to gain access to Internet-accessible resources such as Outlook Web Access, which could be used for redundant access. | Office 365 account logs, Azure activity logs, AWS CloudTrail logs, Stackdriver logs, Process monitoring, Process use of network, Packet capture, Network protocol analysis, File monitoring, Authentication logs, Binary file metadata |
| Linux, macOS, Windows, Office 365, Azure AD | discovery | Permission Groups Discovery | OilRig has used net group /domain, net localgroup administrators, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to find group permission settings on a victim. |
Azure activity logs, Office 365 account logs, API monitoring, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | defense-evasion, execution | Scripting | OilRig has used various types of scripting for execution, including .bat and .vbs scripts. The group has also used macros to deliver malware such as QUADAGENT and OopsIE. | Process monitoring, File monitoring, Process command-line parameters |
| Linux, macOS, Windows, AWS, GCP, Azure | discovery | System Information Discovery | OilRig has run hostname and systeminfo on a victim. |
Azure activity logs, Stackdriver logs, AWS CloudTrail logs, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | collection | Automated Collection | OilRig has used automated collection. | File monitoring, Data loss prevention, Process command-line parameters |
| Linux, macOS, Windows | defense-evasion | File Deletion | OilRig has deleted files associated with their payload after execution. | File monitoring, Process command-line parameters, Binary file metadata |
| Linux, macOS, Windows | discovery | System Network Configuration Discovery | OilRig has run ipconfig /all on a victim. |
Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | command-and-control | Standard Application Layer Protocol | OilRig has used HTTP and DNS for C2. The group has also used the Plink utility and other tools to create tunnels to C2 servers. | Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring |
| Linux, macOS, Windows | discovery | System Owner/User Discovery | OilRig has run whoami on a victim. |
File monitoring, Process monitoring, Process command-line parameters |
| Windows | discovery | Query Registry | OilRig has used reg query “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” on a victim to query the Registry. |
Windows Registry, Process monitoring, Process command-line parameters |
| Windows | lateral-movement | Remote Desktop Protocol | OilRig has used Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment. | Authentication logs, Netflow/Enclave netflow, Process monitoring |
| Linux, macOS, Windows, AWS, GCP, Azure | discovery | System Network Connections Discovery | OilRig has used netstat -an on a victim to get a listing of network connections. |
Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | execution | Command-Line Interface | OilRig has used the command-line interface for execution. | Process monitoring, Process command-line parameters |
| Windows | discovery | System Service Discovery | OilRig has used sc query on a victim to gather information about services. |
Process monitoring, Process command-line parameters |
| Windows, Linux, macOS | credential-access | Credential Dumping | OilRig has used credential dumping tools such as Mimikatz and LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access. | API monitoring, Process monitoring, PowerShell logs, Process command-line parameters |
| Linux, macOS, Windows, AWS, GCP, Azure, SaaS, Office 365 | defense-evasion, persistence, privilege-escalation, initial-access | Valid Accounts | OilRig has used compromised credentials to access other systems on a victim network. | AWS CloudTrail logs, Stackdriver logs, Authentication logs, Process monitoring |
| Linux, macOS, Windows, Office 365, Azure AD | discovery | Account Discovery | OilRig has run net user, net user /domain, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to get account listings on a victim. |
Azure activity logs, Office 365 account logs, API monitoring, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | exfiltration | Exfiltration Over Alternative Protocol | OilRig has exfiltrated data over FTP separately from its primary C2 channel over DNS. | User interface, Process monitoring, Process use of network, Packet capture, Netflow/Enclave netflow, Network protocol analysis |
| Linux, macOS, Windows | defense-evasion | Obfuscated Files or Information | OilRig has encrypted and encoded data in its malware, including by using base64. | Network protocol analysis, Process use of network, File monitoring, Malware reverse engineering, Binary file metadata, Process command-line parameters, Environment variable, Process monitoring, Windows event logs, Network intrusion detection system, Email gateway, SSL/TLS inspection |
| Linux, Windows, macOS | persistence, privilege-escalation | Web Shell | OilRig has used Web shells, often to maintain access to a victim network. | Anti-virus, Authentication logs, File monitoring, Netflow/Enclave netflow, Process monitoring |
| Linux, macOS, Windows | defense-evasion | Indicator Removal from Tools | OilRig has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion. | Process use of network, Process monitoring, Process command-line parameters, Anti-virus, Binary file metadata |