OilRig is an Iranian-linked Advanced Persistent Threat (APT) group, which also goes by the names of Cobalt Gypsy, Twisted Kitten and Crambus. The group was identified in 2015 and is believed to be linked to the Iranian Intelligence agency and the Islamic Revolutionary Guard Corps (IRGC). At first, the group was perceived as immature and not highly sophisticated, but it has rapidly evolved and is now recognized as a sophisticated and dangerous Iranian Cyber APT.
Attack Motives, Methods and Strategies
OilRig’s first attack surfaced in 2015, primarily targeted at financial and technology organizations in Saudi Arabia. Since then, they’ve attacked various energy, financial, aviation, infrastructure, government and university organizations across the Middle East, Eastern Europe and even the United States.
Whereas other Iranian groups have typically targeted foreign government agencies and Iranian dissidents, OilRig is highly focused on private industry outside of Iran. The targets of the group seem to be chosen for business espionage and other strategic purposes.
For their attacks, OilRig has predominantly relied on social engineering as their primary attack vector, showing that they tend to leverage “social” vulnerabilities over software or technical vulnerabilities. However, the group has more recently used patched vulnerabilities to deliver some of their attacks. As many in the cyber intelligence community have noted, the fact that the group does not typically exploit software vulnerabilities does not mean that they lack capabilities or sophistication.
OilRig’s Latest Arsenal of Attack Capabilities
With their latest campaigns, it’s clear that OilRig has significantly advanced its capabilities and creativity in developing new TTPs (Tactics, Techniques and Procedures), which is why the group is getting much more attention globally. These TTPs include advanced malware tools and new data exfiltration methods, which use off-the-shelf, multi-purpose utilities and support software with a twist, so they are very difficult to detect. Other attacks are totally new and have never been seen before.
During their last malware campaign, the group used more than 20 new and unknown tools against multiple targets in Saudi Arabia and other countries in the Middle East.
These new tools include the following:
- Google Drive C&C: A highly sophisticated Remote Access Trojan (RAT) that uses Google Drive for command and control (C&C) purposes.
- OopsIE Trojan-Malware: A variant of the “ThreeDollars” delivery document with the same malicious payload hidden within a document, which was sent by OilRig’s hackers to the UAE to infect their government with the Trojan.
- SmartFile C&C: A tool that sends commands and performs actions on infected machines that leverage the SmartFile file sharing and transfer service.
- IIS ISAPI Filter-Based C&C: These filters extend the functionality of Microsoft Internet Information Services (IIS) servers and provides a more covert way to execute commands on a previously compromised machine versus using a web page.
- RGDoor Backdoor: This backdoor allows the attacker to regain access to a compromised web server when its TwoFace web shell is discovered and removed.
Over the past three years, OilRig has continued to increase both the scope and complexity of their attacks quite significantly. While they have primarily focused attacks on organizations in the Middle East, they have more recently started targeting companies in the United States and continue to pose a larger threat to organizations across the world.
To find out more about OilRig’s attack history and their capabilities, download our OilRig APT Group Profile Threat Brief.