OilRig, also known as Helix Kitten or APT34, is an APT organisation primarily active in the Middle East. The organisation is believed to have been established in 2015 and has received support from the Iranian government. The organisation has created a fake VPN portal for the dissemination of legitimate digitally signed malware targeting Saudi Arabia, Israel, the United Arab Emirates, Lebanon, Kuwait, Qatar, the United States and Turkey. Government agencies, financial institutions, and technology companies.
Researchers at Palo Alto Networks’ threat intelligence team Unit 42 said on Wednesday that they observed two attacks by the organisation between May and June this year. The attack pretends to be from a government agency in the Middle East, but Unit 42 researchers say it is a common strategy used by the organisation to use government agencies as a launching platform for real attacks using stolen credentials and hijacked accounts.
The goals of the two latest attacks include a technology service provider and another government entity, both of which located in the same nation state. OilRig used a PowerShell backdoor called QUADAGENT in the attack, which was also identified by OilSky Cyber Security and FireEye as a tool for OilRig.
Unit 42 said that using script-based backdoors is a standard technique used by the OilRig organisation, but packaging these scripts into portable executable (PE) files is not a strategy that is often used by the organisation.
Unit 42 found two QUADAGENT PE files that were slightly different from each other in these two activities. One of them is a dropper based on the Microsoft .NET Framework, and it also opens a bait dialogue, and another sample is a PE file generated by the bat2exe tool. The back door of the QUADAGENT that was eventually implanted on the infected device was almost identical, the only difference being the command and control (C2) server and random confusion.
Also, Unit 42 also found the third package of the third QUADAGENT backdoor mentioned in the ClearSky Cyber Security report. For this template, the OilRig organisation used a bait document containing malicious macros to deliver the backdoor, which is the organisation’s more common strategy.
To circumvent security detection and as a counter-analysis strategy, the OilRig organisation abused an open source tool called Invoke-Obfuscation to confuse the QUADAGENT code. Invoke-Obfuscation is available for free through the Github repository and provides a variety of obfuscation techniques.
Unit 42 said that OilRig is still a hacker organisation that is mainly active in the Middle East and poses a severe threat to national security in the region. Not only that, but the organisation seems to continue to grow and develop. In the observation of Unit 42, OilRig has deployed some more advanced hacking tools. These hacking tools are usually variants of the tools used by OilRig. Although these tools have changed over time, they still maintain an absolute continuity in the form of attacks during each monitoring cycle.