A set of malicious tools, along with a list of potential targets and victims, belonging to an advanced persistent threat group dubbed OilRig has leaked online, exposing some of the organization’s methods and goals, analysts say.
It’s not clear how the OilRig material was exposed but, according to security analysts the malicious tools and the source code has been available since at least mid-March on Telegram and Github.
OilRig, which also goes by the name APT34 and HelixKitten, is apparently backed by Iran and has been active in the Middle East, according to a previous analysis by Palo Alto Network’s Unit 42. The data that is now available, however, shows that the APT group has also had an interest in parts of Europe, Asia and Africa, as well as China.
Active since at least 2016, OilRig has targeted governmental agencies and businesses, including companies in the financial, energy, chemical and telecommunications sectors, as part of an ongoing and long-term espionage campaign. The APT group is primarily known for using DNS tunneling, a method that takes advantage of flaws in the DNS protocol to funnel malware and other malicious data through a target server, according to Unit 42.
According to Brandon Levene, the head of applied intelligence at Chronicle, the group is likely to change its strategy due to some of its source code has been exposed online.
Who Leaked OilRig Data?
It remains unclear who leaked the OilRig tools and data. A Twitter discussion about the disclosure offers some taunts against OilRig and its backers.
At least three distinct OilRig tools appear on Github and Telegram:
- Glimpse, an updated version of BondUpdater – a PowerShell-based Trojan first discovered by FireEye;
- PoisonFrog, an older version of the BondUpdater Trojan;
- Hypershell, a version of what Unit 42 calls the TwoFace Webshell toolset, which enables the attackers to gain remote access to a network.
Further, the Telegram site has a list of OilRig victims and targets, which includes organizations such as the Emirates Federal Competitiveness and Statistics Authority, the Emirates Prime Minister Office and the Oman Administrative Court.
Within the last three years, OilRig has become gradually more sophisticated as the list of its targets and victims have grown, according to the Unit 42 analysis.
The APT group has started to take advantage of the some of the weaknesses found in DNS, according to Unit 42. DNS is an older protocol that acts as the “phone book” for the internet by taking domain names and translating them into a numeric code.
The Unit 42 analysis found that OilRig uses DNS tunneling to communicate between the victim and the group’s command-and-control servers. This is also the method for delivering Trojans to the target systems.
Eyeing the Middle East
Last Wednesday, Cisco Talos researchers described another unrelated attack, called Sea Turtle, that involves misuse of the DNS protocol. That attack involves stealing passwords and credentials as part of a sophisticated espionage campaign.
The Cisco Talos team did not name the nation-state that is backing Sea Turtle; however, they noted that the group is not associated with other groups, including OilRig, that have started to take advantage of DNS protocols for spying operations throughout the Middle East.