ATK40

Presumed Origin: Iran < Back

Alias: APT 34, APT34, CHRYSENE, Clayslide, Crambus, Greenbug, Helix Kitten, Helminth, IRN2, OilRig, Twisted Kitten

ATK40 (aka: OilRig, APT34) is an Iranian cyberespionage threat actor active since at least 2014 primarily operating in the Middle East region. The group targets as a priority the financial institutions of the Sunni Gulf States, but also the United States and Israel, traditional geopolitical opponents of the Republic of the Mullahs. During the OilRig campaign in 2016 against financial institutions in Saudi Arabia, the group demonstrate capabilities to adapt its procedures and to use multiple delivery methods, particularly through well-crafted spear-phishing messages relevant to the interests of targeted personnel and custom PowerShell implants like the Helminth backdoor. He relies heavily on the human factor for the initial access. After the firsts report by FireEye and PaloAlto, the group has been actively updating his tools and expands his scope of targets (Qatar, Turkey, Israel and United States). The group continue to use communication though DNS Tunnelling to the command and control server to stay under the radar. In early 2017, the group demonstrate the ability to use digitally signed malware spread through fake websites (University of Oxford conference sign-up page and a job application website). PaloAlto observed an overlap in C&C IP address used by OilRig and used by Chafer for his Remexi backdoor C&C, suggesting that these groups are one entity or that they share resources. Furthermore, the similarity between the malware ISMAgent used by OilRig and ISMDoor used by GreenBug suggest a link between these groups.

 

This actor shows high capabilities of adaptation, creating new custom delivery documents and backdoor and using multiple TTP to re-infect previous targets who took actions to counter their known TTP. We did not observe this actor using a zero-day exploit, but it quickly used the CVE-2017-0199 and CVE-2017-11882 which are widely used to improve the quality of his lure documents.

 

DragoS considers that ATK40(OilRig) and ATK59(Greenbug) are the same threat group and carried out initial preparations and network intrusion in advance of the Shamoon event. This group test regularly its samples on anti-virus testers like VirusTotal to determine on what content of their malwares are detected. This technique helped to build nearly undetected samples but allowed researchers to follow the modifications. In April 2019, multiple OilRig tools are leaked on a Github repository, including BONDUPDATER, the TwoFace WebShell and webmask, a tool linked to DNSpionage. This leak is followed in June 2019 by another about the tool Jason.

 

OilRig infrastructure is continuously growing but overlaps with previously used infrastructure. The group reuse his tools, use the same attack protocols and has a consistent victimology which makes it easy to track down.

 

REFERENCES

Target sector

  • Aerospace
  • Aviation
  • Chemicals
  • Communication
  • Education
  • Energy
  • Financial Services
  • Government and administration agencies
  • Healthcare
  • High-Tech
  • Hospitality
  • Transportation

Target countries

  • Azerbaijan
  • Mauritius
  • Qatar
  • Israel
  • Kuwait
  • Lebanon
  • Saudi Arabia
  • Turkey
  • United Arab Emirates
  • United States Of America

Attack pattern

  • T1003 - Credential Dumping
  • T1007 - System Service Discovery
  • T1008 - Fallback Channels
  • T1012 - Query Registry
  • T1016 - System Network Configuration Discovery
  • T1021 - Remote Services
  • T1027 - Obfuscated Files or Information
  • T1032 - Standard Cryptographic Protocol
  • T1033 - System Owner/User Discovery
  • T1046 - Network Service Scanning
  • T1047 - Windows Management Instrumentation
  • T1048 - Exfiltration Over Alternative Protocol
  • T1049 - System Network Connections Discovery
  • T1053 - Scheduled Task
  • T1056 - Input Capture
  • T1057 - Process Discovery
  • T1059 - Command and Scripting Interpreter
  • T1066 - Indicator Removal from Tools
  • T1069 - Permission Groups Discovery
  • T1071 - Standard Application Layer Protocol
  • T1076 - Remote Desktop Protocol
  • T1078 - Valid Accounts
  • T1082 - System Information Discovery
  • T1086 - PowerShell
  • T1087 - Account Discovery
  • T1094 - Custom Command and Control Protocol
  • T1100 - Web Shell
  • T1105 - Remote File Copy
  • T1107 - File Deletion
  • T1108 - Redundant Access
  • T1110 - Brute Force
  • T1113 - Screen Capture
  • T1119 - Automated Collection
  • T1133 - External Remote Services
  • T1140 - Deobfuscate/Decode Files or Information
  • T1192 - Spearphishing Link
  • T1193 - Spearphishing Attachment
  • T1201 - Password Policy Discovery
  • T1204 - User Execution
  • T1223 - Compiled HTML File
  • T1555.004 - Windows Credential Manager

Motivation

  • Espionage

Malwares

  • ALMA Communicator
  • BONDUPDATER
  • CANDYKING
  • Clayslide
  • GOLDIRONY
  • Helminth
  • ISMAgent
  • ISMInjector
  • Jason
  • KEYPUNCH
  • Karkoff
  • LaZagne
  • Mimikatz
  • OopsIE
  • POWBAT
  • POWRUNER
  • QUADAGENT
  • RGDoor
  • SEASHARPEE
  • SideTwist
  • TONEDEAF
  • ThreeDollars
  • TwoFace WebShell
  • ZeroCleare

Vulnerabilities

  • CVE-2017-0199
  • CVE-2017-11882
  • CVE-2020-0688