Picus Threat Library Updated for Document Malware of the OilRig (APT34) Threat Group

Keep up to date with latest blog posts

Picus Labs has updated the Picus Threat Library with new attack methods for malware samples used by the OilRig (also known as IRN2, HELIX KITTEN, and APT34)  Advanced Persistent Threat (APT) Group, operating since 2014. OilRig is believed to be an Iranian government-backed threat group that has targeted Middle Eastern and international victims. The majority of the group's targets are in the financial, government, energy, chemical, and telecommunication, oil and gas, and aviation sectors. OilRig (APT34) uses dozens of tools in its attack campaigns, including certutil, DistTrack, DNSExfitrator, DNSpionage, GoogleDrive RAT, LaZagne, Mimikatz, TONEDEAF, TwoFace, VALUEVAULT, and ZeroCleare.

OilRig’s Latest Document-Based Malware Campaign

OilRig has been observed targeting individuals via booby-trapped job opportunity document-based malware directly delivered to the selected targets via LinkedIn messages since the DNSpionage campaign in 2018. In this campaign, OilRig also uses a document malware that seems like a job opportunity document. This document-based malware downloads a new backdoor variant dubbed SideTwist [1], that has download, upload, and shell command execution functionality.

Picus Labs has updated the Picus Threat Library with this document-based malware and the SideTwist backdoor downloaded by this malware.

Picus ID

Threat Name


Malware Downloader used by Oilrig APT Group .DOC File

Download Variant-1


Sidetwist Backdoor used by Oilrig APT Group .EXE File

Other Threats of OilRig in Picus Threat Library

Picus Threat Library consists of 3 threats of the OilRig (APT34) threat actor, including:

  • OilRig Threat Group's Attack Scenario
  • Ops Tempo Malware used by OilRig Threat Group
  • OopsIE Dropper Malware used by OilRig Threat Group
  • BondUpdater Trojan used by OilRig Threat Group
  • Clayside Malware Dropper Used by OilRig APT Campaign
  • ISMAgent Backdoor Malware Used by OilRig APT Group
  • ISMInjector Trojan Used by OilRig APT Group
  • OilRig APT's Quadagent Backdoor .EXE File Download
  • RGDoor Backdoor used by OilRig
  • ThreeDollars Trojan Downloader Used by OilRig APT Group

 MITRE ATT&CK Techniques used by the OilRig (APT34) Threat Group

  • T1087 .002 Account Discovery: Domain Account
  • T1071 .001 Application Layer Protocol: Web Protocols
  • T1119 Automated Collection
  • T1110 Brute Force
  • T1059 Command and Scripting Interpreter
  • T1555 Credentials from Password Stores
  • T1140 Deobfuscate/Decode Files or Information
  • T1573 .002 Encrypted Channel: Asymmetric Cryptography
  • T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
  • T1133 External Remote Services
  • T1008 Fallback Channels
  • T1070 .004 Indicator Removal on Host: File Deletion
  • T1105 Ingress Tool Transfer
  • T1056 .001 Input Capture: Keylogging
  • T1046 Network Service Scanning
  • T1027 Obfuscated Files or Information
  • T1137 .004 Office Application Startup: Outlook Home Page
  • T1003 .001 OS Credential Dumping: LSASS Memory
  • T1201 Password Policy Discovery
  • T1069 .001 Permission Groups Discovery: Local Groups
  • T1566 .001 Phishing: Spearphishing Attachment
  • T1057 Process Discovery
  • T1572 Protocol Tunneling
  • T1012 Query Registry
  • T1021 .004 Remote Services: SSH
  • T1053 .005 Scheduled Task/Job: Scheduled Task
  • T1113 Screen Capture
  • T1505 .003 Server Software Component: Web Shell
  • T1218 .001 Signed Binary Proxy Execution: Compiled HTML File
  • T1082 System Information Discovery
  • T1016 System Network Configuration Discovery
  • T1049 System Network Connections Discovery
  • T1033 System Owner/User Discovery
  • T1007 System Service Discovery
  • T1552 .001 Unsecured Credentials: Credentials In Files
  • T1204 .002 User Execution: Malicious File
  • T1078 Valid Accounts
  • T1047 Windows Management Instrumentation


[1] https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/


Keep up to date with latest blog posts