AttackIQ publishes OilRig attack graphs emulating Iranian hacker’s global attack campaigns
AttackIQ released two new attack graphs that emulate different aspects of OilRig’s campaigns carried out by the adversary. The graphs would help customers validate their security controls and defenses to help improve cybersecurity readiness. Based on the research, OilRig has targeted various sectors, including government, financial services, energy, resources and utilities, manufacturing, telecommunications, and technology.
OilRig has demonstrated proficiency in a wide range of attack vectors, AttackIQ said in a post published on Monday. “They have conducted social engineering attacks through legitimate social networks like LinkedIn to deliver documents with fraudulent job offers from prominent organizations. They conducted destructive actions using wipers, such as the Disttrack malware family, during the Shamoon attacks. They also used supply chain compromises where the adversary exploited relationships of trust between organizations to reach their desired targets,” it added.
MITRE lists OilRig as a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted various financial, government, energy, chemical, and telecommunications sectors. The group also carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.
The first attack graph is based on reports from Mandiant and Intezer describing social engineering attacks against multiple organizations around the world conducted in 2020, AttackIQ said. “During this campaign, the adversaries impersonated members of various organizations to gain and exploit the trust of the victims. Malicious documents were distributed via LinkedIn that would lead to the delivery of the actor’s bespoke Tonedeaf backdoor,” it added.
The first steps in this attack graph are emulating the delivery techniques used to download Tonedeaf to the victim’s workstation, AttackIQ said. The attack is then carried out by deobfuscating or decoding files or information and ingressing tool transfer. Once the malware was executed, the hacker would establish persistence using a scheduled task, check-in with the command-and-control server, and perform initial discovery actions to learn more about the compromised environment.
AttackIQ said that the data collected during the discovery phase is then staged and exfiltrated to the command-and-control server over HTTP. The actor then downloads LongWatch, a keylogger that directs keystroke outputs to a file in the Windows Temp folder. “OilRig then brings down different password dumping utilities. The first attempt is for ValueVault, a Golang version of the credential-stealing tool known as ‘Windows Vault Password Dumper.’ If that attempt is prevented, then they will try to retrieve PickPocket which is a browser credential-stealing tool,” it added.
Finally, passwords and any additional files of interest would be exfiltrated by the actor using HTTP and DNS fallback channels, AttackIQ added.
Addressing the second Attack Graph, AttackIQ said it is based on a 2018 Palo Alto Networks report where OilRig used a PowerShell-based backdoor known as QuadAgent against technology service providers and government agencies. “Like the first attack graph, this one starts with the delivery of the Actor’s custom PowerShell malware, QuadAgent, and creates persistence with a scheduled task. The actor then creates a unique victim identifier that is stored in a registry key. This value is later utilized when communicating with the command-and-control server for identification,” it added.
The QuadAgent malware then communicates with the command-and-control server to let the actor know they are ready for tasking, AttackIQ said. “The malware leverages fallback channels if it is unable to communicate with the actor’s infrastructure. The first attempts are over SSL and if prevented, revert to unencrypted HTTP requests. If those fail as well, the actor pivots to using DNS requests,” it added.
After communicating with the C2 server, the threat actor begins to perform discovery actions to learn more about the compromised environment, according to AttackIQ. They begin by querying details around Active Directory configuration and then system owner information. Data is then exfiltrated either over HTTP or DNS. Any data received from the hacker is in the form of base64 data.
“The attack graph finishes by sending the good-bye requests made by QuadAgent before it receives any additional malware stages,” AttackIQ said. “Like the initial check-in messages, the actor leverages the same fallback channels of HTTPS, HTTP, and DNS,” it added.
AttackIQ said, in conclusion, that these two attack graphs will evaluate security and incident response processes and support the improvement of security control posture against a nation-state actor who has been successful in using common and unsophisticated measures. “With data generated from continuous testing and use of this attack graph, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat,” it added.
Related
