Top Ten ATT&CK Techniques: The Rise of ‘Hunter-Killer’ Malware
Read More
Picus Labs Red Team | April 19, 2021
Picus Labs has updated the Picus Threat Library with new attack methods for malware samples used by the OilRig (also known as IRN2, HELIX KITTEN, and APT34) Advanced Persistent Threat (APT) Group, operating since 2014. OilRig is believed to be an Iranian government-backed threat group that has targeted Middle Eastern and international victims. The majority of the group's targets are in the financial, government, energy, chemical, and telecommunication, oil and gas, and aviation sectors. OilRig (APT34) uses dozens of tools in its attack campaigns, including certutil, DistTrack, DNSExfitrator, DNSpionage, GoogleDrive RAT, LaZagne, Mimikatz, TONEDEAF, TwoFace, VALUEVAULT, and ZeroCleare.
OilRig’s Latest Document-Based Malware Campaign
OilRig has been observed targeting individuals via booby-trapped job opportunity document-based malware directly delivered to the selected targets via LinkedIn messages since the DNSpionage campaign in 2018. In this campaign, OilRig also uses a document malware that seems like a job opportunity document. This document-based malware downloads a new backdoor variant dubbed SideTwist [1], that has download, upload, and shell command execution functionality.
Picus Labs has updated the Picus Threat Library with this document-based malware and the SideTwist backdoor downloaded by this malware.
Picus ID |
Threat Name |
787114 |
Malware Downloader used by Oilrig APT Group .DOC File Download Variant-1 |
334758 |
Sidetwist Backdoor used by Oilrig APT Group .EXE File |
Other Threats of OilRig in Picus Threat Library
Picus Threat Library consists of 3 threats of the OilRig (APT34) threat actor, including:
MITRE ATT&CK Techniques used by the OilRig (APT34) Threat Group
References
[1] https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/