ATK40

Presumed Origin: Iran < Back

Alias: APT 34, APT34, CHRYSENE, Clayslide, Crambus, Greenbug, Helix Kitten, Helminth, IRN2, OilRig, Twisted Kitten

ATK40 (aka: OilRig, APT34) is an Iranian cyberespionage threat actor active since at least 2014 primarily operating in the Middle East region. The group targets as a priority the financial institutions of the Sunni Gulf States, but also the United States and Israel, traditional geopolitical opponents of the Republic of the Mullahs. During the OilRig campaign in 2016 against financial institutions in Saudi Arabia, the group demonstrate capabilities to adapt its procedures and to use multiple delivery methods, particularly through well-crafted spear-phishing messages relevant to the interests of targeted personnel and custom PowerShell implants like the Helminth backdoor. He relies heavily on the human factor for the initial access. After the firsts report by FireEye and PaloAlto, the group has been actively updating his tools and expands his scope of targets (Qatar, Turkey, Israel and United States). The group continue to use communication though DNS Tunnelling to the command and control server to stay under the radar. In early 2017, the group demonstrate the ability to use digitally signed malware spread through fake websites (University of Oxford conference sign-up page and a job application website). PaloAlto observed an overlap in C&C IP address used by OilRig and used by Chafer for his Remexi backdoor C&C, suggesting that these groups are one entity or that they share resources. Furthermore, the similarity between the malware ISMAgent used by OilRig and ISMDoor used by GreenBug suggest a link between these groups.

This actor shows high capabilities of adaptation, creating new custom delivery documents and backdoor and using multiple TTP to re-infect previous targets who took actions to counter their known TTP. We did not observe this actor using a zero-day exploit, but it quickly used the CVE-2017-0199 and CVE-2017-11882 which are widely used to improve the quality of his lure documents.

DragoS considers that ATK40(OilRig) and ATK59(Greenbug) are the same threat group and carried out initial preparations and network intrusion in advance of the Shamoon event. This group test regularly its samples on anti-virus testers like VirusTotal to determine on what content of their malwares are detected. This technique helped to build nearly undetected samples but allowed researchers to follow the modifications. In April 2019, multiple OilRig tools are leaked on a Github repository, including BONDUPDATER, the TwoFace WebShell and webmask, a tool linked to DNSpionage. This leak is followed in June 2019 by another about the tool Jason.

OilRig infrastructure is continuously growing but overlaps with previously used infrastructure. The group reuse his tools, use the same attack protocols and has a consistent victimology which makes it easy to track down.

REFERENCES

- MITRE ATT&CK, Group: OilRig, http://attack.mitre.org/wiki/Group/G0049
- APT Groups and Operations, http://docs.google.com/spreadsheets/u/0/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml#
- Malpedia, OilRig, http://malpedia.caad.fkie.fraunhofer.de/actor/oilrig
- 22/05/2016, FireEye, Targeted Attacks against Banks in the Middle East, http://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
- 26/05/2016, PaloAlto, The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor, http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/
- 04/10/2016, PaloAlto, OilRig Malware Campaign Updates Toolset and Expands Targets, http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/
- 05/01/2017, ClearSky, Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford, http://www.clearskysec.com/oilrig/
- 03/2017, LogRhythm, OilRigCampaign Analysis, http://gallery.logrhythm.com/threat-intelligence-reports/oilrig-campaign-analysis-logrhythm-labs-threat-intelligence-report.pdf
- 27/04/2017, PaloAlto, OilRig Actors Provide a Glimpse into Development and Testing Efforts, http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/
- 27/04/2017, Morphisec, Iranian Fileless Attack Infiltrates Israeli Organizations, http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability
- 27/07/2017, PaloAlto, OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group, http://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/
- 26/09/2017, PaloAlto, Striking Oil: A Closer Look at Adversary Infrastructure, http://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/
- 31/07/2017, PaloAlto, TwoFace Webshell: Persistent Access Point for Lateral Movement, http://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/
- 07/10/2017, TrapX, Anatomy of an Attack – Iranian Nation State Interdiction, http://trapx.com/trapx-labs-report-anatomy-of-attack-iranian-nation-state-interdiction/
- 09/10/2017, PaloAlto, OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan, http://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/
- 08/11/2017, PaloAlto, OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan, http://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/
- 07/12/2017, FireEye, New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit, http://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html
- 11/12/2017, PaloAlto, OilRig Performs Tests on the TwoFace Webshell, http://researchcenter.paloaltonetworks.com/2017/12/unit42-oilrig-performs-tests-twoface-webshell/
- 25/01/2018, PaloAlto, OilRig uses RGDoor IIS Backdoor on Targets in the Middle East, http://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
- 23/02/2018, PaloAlto, OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan, http://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/
- 03/2018, Nyotron, OilRig is Back with Next-Generation Tools and Techniques, http://www.nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf
- 17/05/2018, DragoS, CHRYSENE, http://dragos.com/blog/20180517Chrysene.html
- 25/07/2018,PaloAlto, OilRig Targets Technology Service Provider and Government Agency with QUADAGENT
- 04/09/2018,PaloAlto, OilRig targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE
- 12/09/2018,PaloAlto, OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government
- 16/11/2018,PaloAlto, Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery
- 27/11/2018, CrowdStrike, Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN
- 16/04/2019,PaloAlto, DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling
- 23/04/2019,Talos, DNSpionage brings out the Karkoff
- 30/04/2019, PaloAlto, Behind the Scenes with OilRig
- 03/06/2019, Bleeping Computer, New Email Hacking Tool from OilRig APT Group Leaked Online
- 06/06/2019,Marco Amilli, APT34: Jason project
- 16/06/2019, eutopian.io, APT34 Tools Leak
- 04/12/2019, IBM X-Force, New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East, https://www.ibm.com/downloads/cas/OAJ4VZNJ
- 09/01/2020, ClearSky, PowDesk: Targeted APT34 Campaign Against LANDesk Users, https://www.clearskysec.com/powdesk-apt34/
- 16/02/2020, ClearSky, Fox Kitten – Widespread Iranian Espionage-Offensive Campaign, https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign.pdf
- 02/03/2020, Yoroi, Karkoff 2020: a new APT34 espionage operation involves Lebanon Government, https://blog.yoroi.company/research/karkoff-2020-a-new-apt34-espionage-operation-involves-lebanon-government/

Target sector

Aerospace
Aviation
Chemicals
Communication
Education
Energy
Financial Services
Government and administration agencies
Healthcare
High-Tech
Hospitality
Transportation

Target countries

Azerbaijan
Mauritius
Qatar
Israel
Kuwait
Lebanon
Saudi Arabia
Turkey
United Arab Emirates
United States Of America

Attack pattern

T1003 - Credential Dumping
T1007 - System Service Discovery
T1008 - Fallback Channels
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1021 - Remote Services
T1027 - Obfuscated Files or Information
T1032 - Standard Cryptographic Protocol
T1033 - System Owner/User Discovery
T1046 - Network Service Scanning
T1047 - Windows Management Instrumentation
T1048 - Exfiltration Over Alternative Protocol
T1049 - System Network Connections Discovery
T1053 - Scheduled Task
T1056 - Input Capture
T1057 - Process Discovery
T1059 - Command and Scripting Interpreter
T1066 - Indicator Removal from Tools
T1069 - Permission Groups Discovery
T1071 - Standard Application Layer Protocol
T1076 - Remote Desktop Protocol
T1078 - Valid Accounts
T1082 - System Information Discovery
T1086 - PowerShell
T1087 - Account Discovery
T1094 - Custom Command and Control Protocol
T1100 - Web Shell
T1105 - Remote File Copy
T1107 - File Deletion
T1108 - Redundant Access
T1110 - Brute Force
T1113 - Screen Capture
T1119 - Automated Collection
T1133 - External Remote Services
T1140 - Deobfuscate/Decode Files or Information
T1192 - Spearphishing Link
T1193 - Spearphishing Attachment
T1201 - Password Policy Discovery
T1204 - User Execution
T1223 - Compiled HTML File
T1555.004 - Windows Credential Manager

Motivation

Espionage

Malwares

ALMA Communicator
BONDUPDATER
CANDYKING
Clayslide
GOLDIRONY
Helminth
ISMAgent
ISMInjector
Jason
KEYPUNCH
Karkoff
LaZagne
Mimikatz
OopsIE
POWBAT
POWRUNER
QUADAGENT
RGDoor
SEASHARPEE
SideTwist
TONEDEAF
ThreeDollars
TwoFace WebShell
ZeroCleare

Vulnerabilities

CVE-2017-0199
CVE-2017-11882
CVE-2020-0688