OilRig, also known as APT34, Lyceum, Crambus, and Siamesekitten, has deployed a series of sophisticated downloaders identified as SampleCheck5000 (SC5k v1-v3), OilCheck, ODAgent, and OilBooster. The downloaders were used to target organisations primarily located in Israel.
These downloaders also explain the evolving tactics of the threat actor marked by the strategic use of legitimate cloud service APIs for command and control (C&C) communication and data exfiltration.
Cybersecurity researchers from EEST unveiled the group’s latest set of downloaders. One interesting point to note is that OilRig had targeted the Israeli organisations a few months earlier using a different set of tools. This new attack shows the group’s determination to maintain access to networks of strategic interest.
SC5k
The SC5k downloader series is a key focal point in OilRig’s evolving tactics. Initiated with SC5K v1 in November 2021, subsequent versions (v2 and v3) introduced enhancements to evade analysis and augment exfiltration capabilities. The downloader uses the Microsoft Office Exchange Web Services (EWS) API to communicate with a shared Exchange mail account.
The malware’s version two introduced changes to complicate payload retrieval and analysis by cyber experts, while version three of the downloader added a new exfiltration functionality.
SC5k uses victim IDs generated from compromised system information to distinguish between messages in shared mail accounts. While SC5k v1 and v2 use file extensions to differentiate, SC5k v3 uses the Form and MailItem.
To communicate with the threat actors, the downloader creates a draft message attaching the encrypted files in a compressed gzip format.
OilBooster
The OilBooster downloader is based on a 64-bit Portable Execution (PE) written in Microsoft Visual C/C++ and utilises Microsoft Graph API to connect to a OneDrive account controlled by attackers.
Once inside the system, the malware downloads the contents, executes files and shell commands, exfiltrates results, and uses a victim-specific directory structure on OneDrive.
It communicates with the attackers by uploading results and exfiltrating data with the .xls and .xlsx extensions. Although the extensions look familiar to Excel spreadsheet files, these files are XOR-encrypted JSON files.
ODAgent Downloader
This downloader is based on a C#/.NET application utilising Microsoft Graph API for command and control communication. It is a precursor to OilBooster, sharing similarities in accessing an attacker-controlled OneDrive account.
It utilises downloader and exfiltration threads to obtain payloads and upload data.
OilCheck
OilCheck was discovered in April 2022 and is based on a C#/.NET architecture. Unlike SC5k, it uses REST-based Microsoft Graph API for command-and-control communication.
It also uses a shared Microsoft Office 365 email account for communication.
While the individual downloaders are not the most technical ones, the collective tactics employed by the threat actor are dangerous for organisations. The group’s shift towards cloud-based communication aligns with broader trends in APT strategies, emphasising the use of legitimate services to conceal malicious activities.
In the News: Proton Mail unveils beta app for Windows and macOS users
