Picus Labs has enhanced the Picus Threat Library with new attack methods that emulate malware and behaviors linked to OilRig, also known as IRN2, HELIX KITTEN, and APT34, an Advanced Persistent Threat group active since 2014. OilRig is widely assessed as an Iranian government backed actor that has targeted organizations in the Middle East and beyond. Its campaigns focus on sectors with high strategic value, including financial services, government, energy, chemicals, telecommunications, oil and gas, and aviation. By adding realistic simulations of these techniques, Picus enables security teams to test their defenses against OilRig style tradecraft and to prioritize fixes based on observed gaps rather than assumptions.
OilRig uses a diverse toolkit and blends native utilities with custom malware to achieve persistence, credential access, and data theft. Reported tools include certutil for staging and file transfer, DistTrack and ZeroCleare for destructive impact, DNSExfiltrator and DNSpionage for DNS based command and control and data movement, GoogleDrive RAT for cloud based communications, LaZagne and Mimikatz for credential harvesting, TONEDEAF and TwoFace for backdoor and web shell access, and VALUEVAULT for information theft. Campaigns often rely on social engineering and exploitation of internet facing services to gain an initial foothold, followed by lateral movement and careful staging of sensitive files for exfiltration.
The new Picus scenarios map to MITRE ATT&CK techniques such as Exploit Public Facing Application, Command and Control over Application Layer Protocol, Credentials from Password Stores, and Exfiltration Over Unencrypted Channel. These simulations help validate EDR detections, NDR analytics, WAF and IDS signatures, and SIEM correlations against OilRig like behaviors. Organizations can reduce risk by enforcing multifactor authentication for administrative and remote access, segmenting high value systems, monitoring for unusual DNS activity and cloud storage traffic, restricting high risk built in tools, and maintaining tested offline backups. Running these Picus simulations regularly confirms that controls detect and block OilRig tactics and that response playbooks work as intended.
OilRig’s Latest Document-Based Malware Campaign
OilRig has been observed targeting individuals via booby-trapped job opportunity document-based malware directly delivered to the selected targets via LinkedIn messages since the DNSpionage campaign in 2018. In this campaign, OilRig also uses a document malware that seems like a job opportunity document. This document-based malware downloads a new backdoor variant dubbed SideTwist [1], that has download, upload, and shell command execution functionality.
Picus Labs has updated the Picus Threat Library with this document-based malware and the SideTwist backdoor downloaded by this malware.
|
Picus ID |
Threat Name |
|
787114 |
Malware Downloader used by Oilrig APT Group .DOC File Download Variant-1 |
|
334758 |
Sidetwist Backdoor used by Oilrig APT Group .EXE File |
Other Threats of OilRig in Picus Threat Library
Picus Threat Library consists of 3 threats of the OilRig (APT34) threat actor, including:
MITRE ATT&CK Techniques used by the OilRig (APT34) Threat Group
References
[1] https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/