C&C in the Clouds: OilRig Group Hijacks Microsoft Services for Espionage

According to a recent report by the cybersecurity firm ESET, the Iranian government-sponsored group OilRig deployed three distinct malicious software loaders in 2022 to maintain persistent access to organizations in Israel.

The deployed tools were named ODAgent, OilCheck, and OilBooster. Additionally, the group utilized an updated version of its loader, dubbed SampleCheck5000 (SC5k). These loaders are notable for their use of Microsoft cloud services for Command and Control (C2) server communication and data transmission, including the Microsoft Graph API for OneDrive and Outlook, as well as the Microsoft Exchange Web Services (EWS) API. This tactic effectively conceals the malefactor’s infrastructure by masquerading it as regular network traffic.

Overview of OilBooster’s C&C communication protocol using a shared OneDrive account | Image: ESET

The targets of these attacks include organizations in healthcare, a manufacturing company, and a local government entity, all previously targeted by OilRig. Details about how these targets were compromised remain unclear, as is whether the attackers maintained their network presence to deploy loaders at various points throughout 2022.

• ODAgent is a C#/.NET loader utilizing the Microsoft OneDrive API for C2 server communication, allowing the attacker to upload and execute payloads and delete intermediary files.
• OilBooster, similar to ODAgent, employs the Microsoft OneDrive API as a C2 server. It also uses the Microsoft Graph API to connect to a Microsoft Office 365 account, allowing interaction with the attacker’s OneDrive account to receive commands and payloads from victim-specific folders.
• SampleCheck5000 interacts with a shared Microsoft Exchange mail account, using the Office Exchange Web Services API to download and execute additional OilRig tools.
• OilCheck employs the SampleCheck5000 technique to extract commands from draft messages but uses the Microsoft Graph API for network communications instead of EWS.

The tools also resemble the PowerExchange group’s backdoor in using email for data transmission, although, in PowerExchange’s case, data is sent to the attacker’s email address using the victim organization’s mail server.

In each instance, the loaders utilize a shared account (email or cloud storage) controlled by OilRig for communication with OilRig operators, where the same account is typically used by multiple victims. The loaders access this account to download commands and additional payloads and to send command results and prepared files.