ESET Research: Iran-aligned OilRig group deployed new malware to its Israeli victims, collecting credentials

Next story
Editor
  • ESET Research analyzed two OilRig campaigns that occurred throughout 2021 (Outer Space) and 2022 (Juicy Mix) by this Iran-aligned APT group.
  • The operators exclusively targeted Israeli organizations and compromised legitimate Israeli websites for use in OilRig’s Command & Control (C&C) communications.
  • They used a new, previously undocumented backdoor in each campaign: Solar in Outer Space, then its successor Mango in Juicy Mix.
  • A variety of post-compromise tools were deployed in both campaigns. They were used to collect sensitive information from major browsers and the Windows Credential Manager.

 
BRATISLAVA, MONTREAL — September 21, 2023
— ESET researchers have analyzed two campaigns by the Iran-aligned OilRig APT group: Outer Space from 2021, and Juicy Mix from 2022. Both of these cyberespionage campaigns targeted Israeli organizations exclusively, which is in line with the group’s focus on the Middle East, and both used the same playbook: OilRig first compromised a legitimate website to use as a C&C server and then delivered previously undocumented backdoors to its victims while also deploying a variety of post-compromise tools mostly used for data exfiltration from the target systems. Specifically, they were used to collects credentials from Windows Credential Manager and from major browsers, credentials, cookies and browsing history. 

In their Outer Space campaign, OilRig used a simple, previously undocumented C#/.NET backdoor ESET Research has named Solar, along with a new downloader, SampleCheck5000 (or SC5k), that uses the Microsoft Office Exchange Web Services API for C&C communication. For the Juicy Mix campaign, the threat actors improved on Solar to create the Mango backdoor, which possesses additional capabilities and obfuscation methods. Both backdoors were deployed by VBS droppers, presumably spread via spearphishing emails. In addition to detecting the malicious toolset, ESET has also notified the Israeli CERT about the compromised websites.
ESET named the Solar backdoor based on the use of an astronomy-based naming scheme in its function names and tasks; we named Mango, another new backdoor, based on its internal assembly name and its filename.

Solar backdoor possesses basic functionalities and can be used, among other things, to download and execute files, and automatically exfiltrate staged files. An Israeli human resources company’s web server, which OilRig compromised at some point prior to deploying Solar, was used as the C&C server.  

For its Juicy Mix campaign, OilRig switched from the Solar backdoor to Mango. It has a similar workflow to Solar and overlapping capabilities, with some notable technical changes. ESET identified an unused detection evasion technique within Mango. “This technique’s goal is to block endpoint security solutions from loading their user-mode code hooks via a DLL in this process. While the parameter was not used in the sample we analyzed, it could be activated in future versions,” says ESET researcher Zuzana Hromcová, who co-analyzed the two campaigns of OilRig.

OilRig, also known as APT34, Lyceum, or Siamesekitten, is a cyberespionage group that has been active since at least 2014 and is commonly believed to be based in Iran. The group targets Middle Eastern governments and a variety of verticals, including chemical, energy, financial and telecommunications.

For more technical information about OilRig and its Outer Space and Juicy Mix campaigns, check out the blogpost “OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes” on WeLiveSecurity. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.

About ESET
For more than 30 years, ESET® has been developing industry-leading IT  security software and services to protect businesses, critical infrastructure and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multifactor authentication, ESET’s high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET’s R&D centers worldwide, working in support of our shared future. For more information, visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.