ESET researchers analyzed a growing series of OilRig downloaders that the group has used in several campaigns throughout 2022, to maintain access to target organizations of special interest – all located in Israel. These lightweight downloaders, which we named SampleCheck5000 (SC5k v1-v3), OilCheck, ODAgent, and OilBooster, are notable for using one of several legitimate cloud service APIs for C&C communication and data exfiltration: the Microsoft Graph OneDrive or Outlook APIs, and the Microsoft Office Exchange Web Services (EWS) API.

In all cases, the downloaders use a shared (email or cloud storage) OilRig-operated account to exchange messages with the OilRig operators; the same account is typically shared by multiple victims. The downloaders access this account to download commands and additional payloads staged by the operators, and to upload command output and staged files.

We discovered the earliest of the series, SC5k (v1) downloader, in November 2021, when it was used in OilRig’s Outer Space campaign, documented in our recent blogpost. In the current blogpost, we focus on all of the SC5k successors that OilRig developed throughout 2022, with a new variation introduced every few months; we will also take a closer look at the mechanisms employed by these downloaders. We also compare these downloaders to other OilRig backdoors that use email-based C&C protocols, and that were reported earlier this year by Trend Micro (MrPerfectionManager) and Symantec (PowerExchange).

Finally, this blogpost also expands on our LABScon 2023 presentation, where we drilled down into how OilRig keeps access to selected Israeli organizations: all of the downloaders studied in this blogpost were deployed in networks that were previously affected by multiple OilRig tools, which underlines the fact that OilRig is persistent in targeting the same organizations, and determined to keep its foothold in compromised networks.

Key points of this blogpost:

  • OilRig actively developed and used a series of downloaders with a similar logic throughout 2022: three new downloaders – ODAgent, OilCheck, OilBooster – and newer versions of the SC5k downloader.
  • The downloaders use various legitimate cloud service APIs for C&C communication and data exfiltration: Microsoft Graph OneDrive API, Microsoft Graph Outlook API, and Microsoft Office EWS API.
  • Targets, all in Israel, included an organization in the healthcare sector, a manufacturing company, a local governmental organization, and other organizations.
  • All targets were previously affected by multiple OilRig campaigns.

Attribution

OilRig, also known as APT34, Lyceum, Crambus, or Siamesekitten, is a cyberespionage group that has been active since at least 2014 and is commonly believed to be based in Iran. The group targets Middle Eastern governments and a variety of business verticals, including chemical, energy, financial, and telecommunications.

OilRig carried out the DNSpionage campaign in 2018 and 2019, which targeted victims in Lebanon and the United Arab Emirates. In 2019 and 2020, OilRig continued its attacks with the HardPass campaign, which used LinkedIn to target Middle Eastern victims in the energy and government sectors. In 2021, OilRig updated its DanBot backdoor and began deploying the Shark, Milan, and Marlin backdoors, as mentioned in the T3 2021 issue of the ESET Threat Report. In 2022 and 2023, the group carried out several attacks against local government entities and healthcare organizations in Israel, using its new backdoors Solar and Mango. In 2023, OilRig targeted organizations in the Middle East with the PowerExchange and MrPerfectionManager backdoors, and related tools to harvest internal mailbox account credentials and then to leverage these accounts for exfiltration.

We attribute SC5k (v1-v3), ODAgent, OilCheck, and OilBooster downloaders to OilRig with a high level of confidence, based on these indicators:

  • Targets:
    • These downloaders were deployed exclusively against Israeli organizations, which aligns with typical OilRig targeting.
    • The observed verticals of the victims also align with OilRig’s interests – for example, we have seen OilRig previously targeting the Israeli healthcare sector, as well as the local government sector in Israel.
  • Code similarities:
    • The SC5k v2 and v3 downloaders evolved naturally from the initial version, which was previously used in an OilRig Outer Space campaign. ODAgent, OilCheck and OilBooster share similar logic, and all use various cloud service providers for their C&C communications, as do SC5k, Marlin, PowerExchange, and MrPerfectionManager.
    • While not unique to OilRig, these downloaders have a low level of sophistication and are often unnecessarily noisy on the system, which is a practice we previously observed in its Out to Sea campaign.

Overview

In February 2022, we detected a new OilRig downloader, which we named ODAgent based on its filename: ODAgent.exe. ODAgent is a C#/.NET downloader that, similar to OilRig’s Marlin backdoor, uses the Microsoft OneDrive API for C&C communications. Unlike Marlin, which supports a comprehensive list of backdoor commands, ODAgent’s narrow capabilities are limited to downloading and executing payloads, and to exfiltrating staged files.

ODAgent was detected in the network of a manufacturing company in Israel – interestingly, the same organization was previously affected by OilRig’s SC5k downloader, and later by another new downloader, OilCheck, between April and June 2022. SC5k and OilCheck have similar capabilities to ODAgent, but use cloud-based email services for their C&C communications.

Throughout 2022, we observed the same pattern being repeated on multiple occasions, with new downloaders being deployed in the networks of previous OilRig targets: for example, between June and August 2022, we detected the OilBooster, SC5k v1, and SC5k v2 downloaders and the Shark backdoor, all in the network of a local governmental organization in Israel. Later we detected yet another SC5k version (v3), in the network of an Israeli healthcare organization, also a previous OilRig victim.

SC5k is a C#/.NET application whose purpose is to download and execute additional OilRig tools using the Office Exchange Web Services (EWS) API. The new versions introduced changes to make retrieval and analysis of the malicious payloads harder for analysts (SC5k v2), and new exfiltration functionality (SC5k v3).

All the downloaders, summarized in Figure 1, share a similar logic but have different implementations and show growing complexity over time, alternating C#/.NET binaries with C/C++ applications, varying the cloud service providers misused for the C&C communication, and other specifics.

Figure 1 Timeline OilRig downloaders
Figure 1. Timeline of OilRig’s downloaders

OilRig has only used these downloaders against a limited number of targets, all located in Israel and, according to ESET telemetry, all of them were persistently targeted months earlier by other OilRig tools. As it is common for organizations to access Office 365 resources, OilRig’s cloud service-powered downloaders can thus blend more easily into the regular stream of network traffic – apparently also the reason why the attackers chose to deploy these downloaders to a small group of especially interesting, repeatedly victimized targets.

As of this writing, the following (exclusively Israeli, as noted above) organizations were affected:

  • a manufacturing company (SC5k v1, ODAgent, and OilCheck),
  • a local governmental organization (SC5k v1, OilBooster, and SC5k v2),
  • a healthcare organization (SC5k v3), and
  • other unidentified organizations in Israel (SC5k v1).

Unfortunately, we don’t have information about the initial attack vector used to compromise the targets discussed in this blogpost – we can’t confirm whether the attackers have been able to successfully compromise the same organizations repeatedly, or if they somehow managed to keep their foothold in the network in between deploying various tools.

Technical analysis

In this section, we provide a technical analysis of OilRig’s downloaders used throughout 2022, with the details of how they abuse various cloud storage services and cloud-based email providers for their C&C communications. All of these downloaders follow a similar logic:

  • They use a shared (email or cloud storage) account to exchange messages with the OilRig operators; the same account can be used against multiple victims.
  • They access this account to download commands and additional payloads staged by the operators, and to upload command output and staged files.

In our analysis, we focus on these characteristics of the downloaders:

  • Specifics of the network communication protocol (e.g., Microsoft Graph API vs. Microsoft Office EWS API).
  • The mechanism used to distinguish between different attacker-staged and downloader-uploaded messages in the shared account, including the mechanism to distinguish between messages uploaded from various victims.
  • Specifics of how the downloaders process commands and payloads are downloaded from the shared account.

Table 1 summarizes and compares how the individual downloaders implement these characteristics; we then analyze the first (SC5k) and the most complex (OilBooster) downloaders in detail as examples of tools abusing cloud-based email services and cloud storage services, respectively.

Table 1. A summary of main characteristics of OilRig’s downloaders abusing legitimate cloud service providers

Mechanism

SC5k v1

SC5k v2

SC5k v3

OilCheck

OilBooster

ODAgent

C&C protocol

A shared Microsoft Exchange email account, C&C communication embedded in draft messages.

A shared OneDrive account; files with various extensions to distinguish action types.

Network communica­tions

Microsoft Office EWS API

Microsoft Graph (Outlook) API

Microsoft Graph (OneDrive) API.

Victim identification mechanism

The sg extended property of the email draft is set to <victimID>.

An unknown extended email property is set to <victimID>.

From field has the username portion of the email address set to <victimID>.

The zigorat extended property of the email draft is set to <victimID>.

All communication for, and from, the specific victim is uploaded to a victim-specific subdirectory named <victimID>.

Keep-alive message

The type extended property of the email draft is set to 3; the current GMT time is in the email body.

An unknown extended property of the email draft is set to 0; the email body is empty.

The From field of the email draft is set to <victimID>@yahoo.com; the current GMT time is in the email body.

The type extended property of the email draft is set to 3; the current GMT time is in the email body.

A file named <victimID>/setting.ini.

A file named <victimID>/info.ini.

File for download

The type extended property of the email draft is set to 1; the attached file has any extension other than .json.

An unknown extended property of the email draft is set to 1; the attached file has any extension other than .bin.

The From field of the email draft is set to <victimID>@outlook.com, with the message category set to file.

The type extended property of the email draft is set to 1; the attached file has a .biz extension.

A file with a .docx extension in the <victimID>/items subdirectory.

A non-JSON file in the <victimID>/o subdirectory.

Exfiltrated file

The type extended property of the email draft is set to 2; the attached file has the .tmp1 extension.

An unknown extended property of the email draft is set to 2; the attached file has a .tmp extension.

The From field of the email draft is set to <victimID>@aol.com, with the file category.

The type extended property of the email draft is set to 2; the attached file has a .biz extension.

A file with a .xlsx extension in the <victimID>/items subdirectory.

A non-JSON file in the <victimID>/i subdirectory.

Command for execution

The type extended property of the email draft is set to 1; the attached file has a .json extension.

An unknown extended property of the email draft is set to 1; the attached file has a .bin extension.

The From field of the email draft is set to <victimID>@outlook.com, without the file category.

The type extended property of the email draft is set to 1; the attached file has any extension other than .biz.

A file with a .doc extension in the <victimID>/items subdirectory.

A JSON file in the <victimID>/o subdirectory.

Command output

The type extended property of the email draft is set to 2; the attached file has a .json extension.

An unknown extended property of the email draft is set to 2; the attached file has a .bin extension.

The From field of the email draft is set to <victimID>@aol.com, with the text category.

The type extended property of the email draft is set to 2.

A file with a .xls extension in the <victimID>/items subdirectory.

A JSON file in the <victimID>/i subdirectory.

SC5k downloader

The SampleCheck5000 (or SC5k) downloader is a C#/.NET application, and the first in a series of OilRig’s lightweight downloaders that use legitimate cloud services for their C&C communication. We briefly documented the first variant in our recent blogpost, and have since discovered two newer variants.

All SC5k variants use the Microsoft Office EWS API to interact with a shared Exchange mail account, as a way to download additional payloads and commands, and to upload data. Email drafts and their attachments are the primary vehicle for the C&C traffic in all the versions of this downloader, but the later versions increase the complexity of this C&C protocol (SC5k v3) and add detection evasion capabilities (SC5k v2). This section focuses on highlighting these differences.

Exchange account used for C&C communication

At runtime, SC5k connects to a remote Exchange server via the EWS API to obtain additional payloads and commands to execute from an email account shared with the attacker (and usually other victims). By default, a Microsoft Office 365 Outlook account is accessed via the https://outlook.office365.com/EWS/Exchange.asmx URL using hardcoded credentials, but some SC5k versions also have the capability to connect to other remote Exchange servers when a configuration file is present with a hardcoded name (setting.key, set.idl) and the corresponding credentials inside.

We have seen the following email addresses used by SC5k versions for C&C communication, the first of which gave the downloader its name:

  • samplecheck5000@outlook.com
  • FrancesLPierce@outlook.com
  • SandraRCharles@outlook.com

In SC5k v2, the default Microsoft Exchange URL, email address, and password are not included in the main module – instead, the downloader’s code has been split into multiple modules. We have detected only variations of the main application, which logs into a remote Exchange server, iterates through emails in the Drafts directory, and extracts additional payloads from their attachments. However, this application depends on two external classes that were not present in the detected samples and are probably implemented in the missing module(s):

  • The class init should provide an interface to obtain the email address, username, and password required to log into the remote Exchange account, and other configuration values from the other module.
  • The class structure should implement functions used for encryption, compression, executing downloaded payloads, and other helper functions.

These changes were likely introduced to make retrieval and analysis of the malicious payloads harder for analysts, as the two missing classes are crucial for identifying the Exchange account used for malware distribution.

C&C and exfiltration protocol

In all versions, the SC5k downloader repeatedly logs into a remote Exchange server using the ExchangeService .NET class in the Microsoft.Exchange.WebServices.Data namespace to interact with the EWS API. Once connected, SC5k reads email messages with attachments in the Drafts directory to extract attacker commands and additional payloads. Conversely, in each connection, SC5k exfiltrates files from a local staging directory by creating new email drafts in the same email account. The path to the staging directory varies across samples.

Of interest is the way both the operators and various instances of this downloader can distinguish between the different types of drafts in the shared email account. For one, each email draft has a <victimID> incorporated, which allows the same Exchange account to be used for multiple OilRig victims:

  • For v1 and v2, the downloader transmits the <victimID> as a custom attribute of the email draft via the SetExtendedProperty method.
  • For v3, the downloader incorporates the <victimID> into the From field of the email draft.

The <victimID> is typically generated using the compromised system’s information, such as the system volume ID or the computer name, as shown in Figure 2.

Figure 2 SC5k v3 calculates a victimID from the compromised computer’s name
Figure 2. SC5k v3 calculates a <victimID> from the compromised computer’s name

Furthermore, various email properties can be used to distinguish between messages created by the operators (commands, additional payloads) and messages created by the malware instances (command outputs, exfiltrated files). SC5k v1 and v2 use file extensions (of the draft attachments) to make that distinction, while SC5k v3 uses the From and MailItem.Categories fields of the email draft to distinguish between various actions. At each point, the email drafts in the shared email account can serve various purposes, as summarized in Table 2 and explained below. Note that the email addresses used in the From field are not genuine; because SC5k never sends out any actual email messages, these attributes are only used to distinguish between different malicious actions.

Table 2. Types of email messages used by SC5k v3 for C&C communications

From

MailItem.Categories

Created by

Details

<victimID>@yahoo.com

N/A

SC5k v3 instance

Created to register the victim with the C&C server, and renewed periodically to indicate that the malware is still active.

<victimID>@outlook.com

file

C&C server

Attached file is decrypted, decompressed, and dumped on the victim’s computer.

<victimID>@outlook.com

Other than file

C&C server

Attached command is decrypted, decompressed, then passed as an argument to a file already present on the compromised machine, presumably a command interpreter.

<victimID>@aol.com

file

SC5k v3 instance

Created to exfiltrate a file from a staging directory.

<victimID>@aol.com

text

SC5k v3 instance

Created to send command output to the C&C server.

More specifically, SC5k v3 processes (and then deletes) those email messages from the shared Exchange account that have the From field set to <victimID>@outlook.com, and distinguishes between commands and additional payloads by the message category (MailItem.Categories):

  • For payloads, the attached file is XOR decrypted using the hardcoded key &5z, then gzip decompressed and dumped in the working directory.
  • For shell commands, the draft attachment is base64 decoded, XOR decrypted, and then executed locally using cmd.exe or, in the case of SC5k v3, using a custom command interpreter located under the name <baseDirectory>\*Ext.dll. This file is then loaded via Assembly.LoadFrom, and its extend method invoked with the command passed as an argument.

To communicate with the attackers, SC5k v3 creates draft messages with a different From field: <victimID>@aol.com. Attached to these messages are outputs of previously received commands, or contents of the local staging directory. Files are always gzip compressed and XOR encrypted before being uploaded to the shared mailbox, while shell commands and command outputs are XOR encrypted and base64 encoded.

Finally, SC5k v3 repeatedly creates a new draft on the shared Exchange account with the From field set to <victimID>@yahoo.com, to indicate to the attackers that this downloader instance is still active. This keep-alive message, whose construction is shown in Figure 3, has no attachment and is renewed with each connection to the remote Exchange server.

Figure 3 Keep-alive functionality implemented by the SC5k v3 downloader
Figure 3. Keep-alive functionality implemented by the SC5k v3 downloader

Other OilRig tools using email-based C&C protocol

Besides SC5k, other notable OilRig tools have been discovered subsequently (in 2022 and 2023) that abuse APIs of legitimate cloud-based email services for exfiltration and both directions of their C&C communication.

OilCheck, a C#/.NET downloader discovered in April 2022, also uses draft messages created in a shared email account for both directions of the C&C communication. Unlike SC5k, OilCheck uses the REST-based Microsoft Graph API to access a shared Microsoft Office 365 Outlook email account, not the SOAP-based Microsoft Office EWS API. While SC5k uses the built-in ExchangeService .NET class to create the API requests transparently, OilCheck builds the API requests manually. The main characteristics of OilCheck are summarized in Table 1 above.

Earlier in 2023, two other OilRig backdoors were publicly documented: MrPerfectionManager (Trend Micro, February 2023) and PowerExchange (Symantec, October 2023), both using email-based C&C protocols to exfiltrate data. A notable difference between these tools and OilRig’s downloaders studied in this blogpost is that the former use the victimized organization’s Exchange server to transmit email messages from and to the attacker’s email account. In contrast: with SC5k and OilCheck, both the malware and the operator accessed the same Exchange account and communicated by creating email drafts, never sending an actual message.

In any case, the new findings confirm the trend of OilRig shifting away from the previously used HTTP/DNS-based protocols to using legitimate cloud service providers as a way to hide its malicious communication and to mask the group’s network infrastructure, while still experimenting with various flavors of such alternative protocols.

OilBooster downloader

OilBooster is a 64-bit portable executable (PE) written in Microsoft Visual C/C++ with statically linked OpenSSL and Boost libraries (hence the name). Like OilCheck, it uses the Microsoft Graph API to connect to a Microsoft Office 365 account. Unlike OilCheck, it uses this API to interact with a OneDrive (not Outlook) account controlled by the attackers for C&C communication and exfiltration. OilBooster can download files from the remote server, execute files and shell commands, and exfiltrate the results.

Overview

Upon execution, OilBooster hides its console window (via the ShowWindow API) and verifies that it was executed with a command line argument; otherwise it terminates immediately.

OilBooster then builds a <victimID> by combining the compromised computer’s hostname and username: <hostname>-<username>. This identifier is later used in the C&C communication: OilBooster creates a specific subdirectory on the shared OneDrive account for each victim, which is then used to store backdoor commands and additional payloads (uploaded by the operators), command results, and exfiltrated data (uploaded by the malware). This way, the same OneDrive account can be shared by multiple victims.

Figure 4 shows the structure of the shared OneDrive account and the local working directory, and summarizes the C&C protocol.

Figure 4 Overview of OilBooster’s C&C communication protocol using a shared OneDrive account
Figure 4. Overview of OilBooster’s C&C communication protocol using a shared OneDrive account

As shown in Figure 4, the OilRig operator uploads backdoor commands and additional payloads to the victim-specific directory on OneDrive, as files with the .doc and .docx extensions, respectively. On the other end of the C&C protocol, OilBooster uploads command results and exfiltrated data as files with the .xls and .xlsx extensions, respectively. Note that these are not genuine Microsoft Office files, but rather JSON files with XOR-encrypted and base64-encoded values.

Figure 5 shows OilBooster spawning instances of two threads in an indefinite loop, sleeping for 153,123 milliseconds after each iteration:

Figure 5 OilBooster’s main function
Figure 5. OilBooster’s main function

Both threads interact with the shared OneDrive account:

  1. A downloader thread handles C&C communication and executes downloaded payloads.
  2. An exfiltration thread exfiltrates data from the local staging directory.

The downloader thread connects to the attacker-controlled OneDrive account and iterates through all files with the .doc and .docx extensions, which are then downloaded, decrypted, and parsed in order to extract and execute additional payloads on the compromised host. A local subdirectory named items in the current working directory (where OilBooster is deployed) is used to store the downloaded files. As shown in Figure 6, each connection attempt is handled in a separate thread instance, launched once every 53,123 milliseconds.

The exfiltration thread iterates over another local subdirectory, named tempFiles, and exfiltrates its contents to the shared OneDrive account, which are uploaded there as individual files with the .xlsx extension. The staging directory is cleared this way once every 43,123 milliseconds in a separate thread instance, as also seen in Figure 6.

Figure 6 Each iteration of the downloader and exfiltration loops is spawned in a new thread
Figure 6. Each iteration of the downloader and exfiltration loops is spawned in a new thread

Network communication

For C&C communication and exfiltration, OilBooster uses the Microsoft Graph API to access the shared OneDrive account, using a variety of HTTP GET, POST, PUT, and DELETE requests to the graph.microsoft.com host over the standard 443 port. For brevity, we will also refer to these requests as OneDrive API requests. The encrypted communication is facilitated by the statically linked OpenSSL library, which handles the SSL communication.

To authenticate with the OneDrive account, OilBooster first obtains the OAuth2 access token from the Microsoft identity platform (the authorization server) by sending a POST request with the following body over port 443 to login.microsoftonline.com/common/oauth2/v2.0/token, using hardcoded credentials:

client_id=860b23a7-d484-481d-9fea-d3e6e129e249
&redirect_uri=https://login.live.com/oauth20_desktop.srf
&client_secret=<redacted>
&refresh_token=<redacted>
&grant_type=refresh_token

OilBooster obtains a new access token this way, which will be used in the Authorization header of the subsequent OneDrive API requests, along with a new refresh token. OilBooster also has a backup channel to request a new refresh token from its C&C server after 10 consecutive unsuccessful connections to the OneDrive server. As shown in Figure 7, the new token can be acquired by sending a simple HTTP GET request on port 80 to host1[.]com/rt.ovf (a legitimate, likely compromised website), which should be followed by the new refresh token in cleartext in the HTTP response.

Figure 7 OilBooster can request a new refresh token from its fallback C&C server
Figure 7. OilBooster can request a new refresh token from its fallback C&C server after 10 unsuccessful connection attempts to the abused OneDrive account

The various network connections made by OilBooster are summarized in Figure 8.

Figure 8 Overview of OilBooster’s network comms
Figure 8. Overview of OilBooster’s network communications

Downloader loop

In the downloader loop, OilBooster repeatedly connects to the shared OneDrive account to obtain a list of files with the .docx and .doc extensions in the victim-specific subdirectory named <victimID>/items/ by sending an HTTP GET request over port 443 to this URL:

graph.microsoft.com/v1.0/me/drive/root:/<victimID>/items:/children?$filter=endsWith(name,'.doc')%20or%20endsWith(name,'.docx')&$select=id,name,file

If the connection is not successful (the HTTP_STATUS_DENIED response status) after 10 attempts, OilBooster connects to its fallback C&C server, host1[.]com/rt.ovf, to acquire a new refresh token, as discussed earlier.

Alternatively, if the specified directory does not yet exist (HTTP_STATUS_NOT_FOUND), OilBooster first registers the victim on the shared OneDrive account by sending an HTTP POST request over port 443 to this URL: graph.microsoft.com/v1.0/me/drive/items/root:/<victimID>:/children with the JSON string {"name": "items","folder":{}} as the request body, as shown in Figure 9. This request creates the whole directory structure <victimID>/items at the same time, which will later be used by the attackers to store commands and additional payloads disguised as .doc and .docx files.

Figure 9 OilBooster creates a victim-specific directory on OneDrive
Figure 9. On first connection, OilBooster creates a victim-specific directory on the shared OneDrive account

On subsequent connections (with HTTP_STATUS_OK), OilBooster processes these files to extract and execute payloads. OilBooster first downloads each file from the OneDrive account and deletes it from OneDrive after processing the file.

Finally, after going through all the .doc and .docx files downloaded from the OneDrive subdirectory, OilBooster records the last connection timestamp (the current GMT time) by creating a new file named setting.ini in the victim’s OneDrive subdirectory, via an HTTP PUT request on port 443 made to this URL: graph.microsoft.com/v1.0/me/drive/root:/<victimID>/setting.ini:/content.

Processing .doc files

Files with the .doc extension downloaded from the shared OneDrive account are in fact JSON files with encrypted commands to be executed on the compromised host. Once a <filename>.doc is downloaded, OilBooster parses the values named s (part of the decryption key) and c (encrypted command) from the file content. It first base64 decodes, then XOR decrypts the c value, using a key that is created by appending the last two characters of the s value to the last two characters of <filename>.

After decryption, OilBooster executes the command line in a new thread using the CreateProcessW API, and reads the command result via an unnamed pipe connected to the process. OilBooster then uploads the command result to the shared OneDrive account as a new file named <filename>.xls by sending an HTTP PUT request over port 443 to graph.microsoft.com/v1.0/me/drive/root:/<victimID>/items/<filename>.xls:/content.

Processing .docx files

Files with the .docx extension downloaded from the shared OneDrive account are in fact compressed and encrypted files named <filename>.<original extension>.docx that will be dropped and unpacked on the compromised system. OilBooster first downloads the encrypted file to the local directory named <currentdir>\items, using the original full filename.

In the next step, it reads and decrypts the file content using an XOR cipher with .<original extension> as the decryption key, and drops it in the same directory into a file named <filename>.<original extension>.doc, while the first one is deleted. Finally, OilBooster reads and gzip decompresses the decrypted file, drops the result in the same directory as a file named <filename>.<original extension>, and deletes the other one.

Note the unnecessary creation of several files in the process – this is typical for OilRig. We previously described the group’s noisy operations on compromised hosts in its Out to Sea campaign.

Exfiltration loop

In the exfiltration thread, OilBooster loops over the contents of the local directory named <currentdir>\tempFiles, and uploads the file contents to the victim’s folder on the shared OneDrive account. Each file is processed in this way:

  • OilBooster gzip compresses the original file <filename>.<original extension> and writes the result to a file named <filename>.<original extension>.xlsx in the same directory.
  • It then encrypts the compressed file using an XOR cipher and .<original extension> as the key. If there is no file extension, 4cx is used as the default key.

Finally, the encrypted file is uploaded to the OneDrive account, and the local file is deleted.

ODAgent downloader: OilBooster’s precursor

ODAgent is a C#/.NET application that uses the Microsoft Graph API to access an attacker-controlled OneDrive account for C&C communication and exfiltration – in short, ODAgent is loosely a C#/.NET precursor of OilBooster. Similar to OilBooster, ODAgent repeatedly connects to the shared OneDrive account and lists the contents of the victim-specific folder to obtain additional payloads and backdoor commands.

As shown in Figure 10, ODAgent then parses the metadata for each remote file. Subsequently, it uses the value of the mimeType key associated with the file to distinguish between backdoor commands (formatted as JSON files) and encrypted payloads – this is unlike OilBooster, which uses file extensions for that distinction. After processing a file locally, ODAgent deletes the original from the remote OneDrive directory via the OneDrive API.

Figure 10 ODAgent’s code responsible for parsing JSON files
Figure 10. ODAgent’s code responsible for parsing JSON files obtained from the shared OneDrive account

If the downloaded file is a JSON file, ODAgent parses the a1 (command ID), a2 (encrypted backdoor command) and a3 (secret) arguments. It first derives the session key by XORing the provided secret with the hardcoded value 15a49w@]. Then, it base64 decodes and XOR decrypts the backdoor command using this session key. Table 3 lists all backdoor commands supported by ODAgent.

Table 3. Backdoor commands supported by ODAgent

Backdoor command

Description

odt>

Returns the path to the current working directory.

dly><delaytime>

Configures the number of seconds to wait after each connection to <delaytime>.

<commandline>

Executes the specified <commandline> via the native API and returns the command output.

Other (non-JSON) files downloaded from the shared OneDrive account are files and additional payloads, both encrypted. ODAgent XOR decrypts these files with the hardcoded key 15a49w@], and drops them in the local <currentdir>\o directory under the same filename. If the original file has a .c extension, its content is also gzip decompressed (and the extension is then dropped from the filename).

At the end of each connection, ODAgent uploads the contents of the local directory <currentdir>\i to the <victimID>/i directory on the shared OneDrive account, preserving the original filenames with the added .c extension.

Figure 11 ODAgent’s exfiltration loop
Figure 11. ODAgent’s exfiltration loop

Conclusion

Throughout 2022, OilRig developed a series of new downloaders, all using a variety of legitimate cloud storage and cloud-based email services as their C&C and exfiltration channels. These downloaders were deployed exclusively against targets in Israel – often against the same targets within a few months. As all of these targets were previously affected by other OilRig tools, we conclude that OilRig uses this class of lightweight but effective downloaders as its tool of choice to maintain access to networks of interest.

These downloaders share similarities with MrPerfectionManager and PowerExchange backdoors, other recent additions to OilRig’s toolset that use email-based C&C protocols – except that SC5k, OilBooster, ODAgent, and OilCheck use attacker-controlled cloud service accounts, rather than the victim’s internal infrastructure. All these activities confirm an ongoing switch to legitimate cloud service providers for C&C communication, as a way to hide the malicious communication and mask the group’s network infrastructure.

On par with the rest of OilRig’s toolset, these downloaders are not particularly sophisticated, and are, again, unnecessarily noisy on the system. However, the continuous development and testing of new variants, the experimenting with various cloud services and different programming languages, and the dedication to re-compromise the same targets over and over again, makes OilRig a group to watch out for.

For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

IoCs

Files

SHA-1

Filename

Detection

Description

0F164894DC7D8256B66D0EBAA7AFEDCF5462F881

CCLibrary.exe

MSIL/OilRig.A

OilRig downloader - SC5k v1.

2236D4DCF68C65A822FF0A2AD48D4DF99761AD07

acrotray.exe

MSIL/OilRig.D

OilRig downloader - SC5k v1.

35E0E78EC35B68D3EE1805EECEEA352C5FE62EB6

mscom.exe

MSIL/OilRig.D

OilRig downloader - SC5k v1.

51B6EC5DE852025F63740826B8EDF1C8D22F9261

CCLibrary.exe

MSIL/OilRig.A

OilRig downloader - SC5k v1.

6001A008A3D3A0C672E80960387F4B10C0A7BD9B

acrotray.exe

MSIL/OilRig.D

OilRig downloader - SC5k v1.

7AD4DCDA1C65ACCC9EF1E168162DE7559D2FDF60

AdobeCE.exe

MSIL/OilRig.D

OilRig downloader - SC5k v1.

BA439D2FC3298675F197C8B17B79F34485271498

AGSService.exe

MSIL/OilRig.D

OilRig downloader - SC5k v1.

BE9B6ACA8A175DF61F2C75932E029F19789FD7E3

CCXProcess.exe

MSIL/OilRig.A

OilRig downloader - SC5k v1.

C04F874430C261AABD413F27953D30303C382953

AdobeCE.exe

MSIL/OilRig.A

OilRig downloader - SC5k v1.

C225E0B256EDB9A2EA919BACC62F29319DE6CB11

mscom.exe

MSIL/OilRig.A

OilRig downloader - SC5k v1.

E78830384FF14A58DF36303602BC9A2C0334A2A4

armsvc.exe

MSIL/OilRig.D

OilRig downloader - SC5k v1.

EA8C3E9F418DCF92412EB01FCDCDC81FDD591BF1

node.exe

MSIL/OilRig.D

OilRig downloader - SC5k v1.

1B2FEDD5F2A37A0152231AE4099A13C8D4B73C9E

consoleapp.exe

Win64/OilBooster.A

OilRig downloader - OilBooster.

3BF19AE7FB24FCE2509623E7E0D03B5A872456D4

owa.service.exe

MSIL/OilRig.D

OilRig downloader - SC5k v2.

AEF3140CD0EE6F49BFCC41F086B7051908B91BDD

owa.service.exe

MSIL/OilRig.D

OilRig downloader - SC5k v2.

A56622A6EF926568D0BDD56FEDBFF14BD218AD37

owa.service.exe

MSIL/OilRig.D

OilRig downloader - SC5k v2.

AAE958960657C52B848A7377B170886A34F4AE99

LinkSync.exe

MSIL/OilRig.F

OilRig downloader - SC5k v3.

8D84D32DF5768B0D4D2AB8B1327C43F17F182001

AppLoader.exe

MSIL/OilRig.M

OilRig downloader - OilCheck.

DDF0B7B509B240AAB6D4AB096284A21D9A3CB910

CheckUpdate.exe

MSIL/OilRig.M

OilRig downloader - OilCheck.

7E498B3366F54E936CB0AF767BFC3D1F92D80687

ODAgent.exe

MSIL/OilRig.B

OilRig downloader - ODAgent.

A97F4B4519947785F66285B546E13E52661A6E6F

N/A

MSIL/OilRig.N

Help utility used by OilRig's OilCheck downloader - CmEx.

Network

IP

Domain

Hosting provider

First seen

Details

188.114.96[.]2

host1[.]com

Cloudflare, Inc.

2017-11-30

A legitimate, likely compromised website misused by OilRig as a fallback C&C server.

MITRE ATT&CK techniques

This table was built using version 14 of the MITRE ATT&CK framework.

Tactic

ID

Name

Description

Resource Development

T1583.001

Acquire Infrastructure: Domains

OilRig has registered a domain for use in C&C communications.

T1583.004

Acquire Infrastructure: Server

OilRig has acquired a server to be used as a backup channel for the OilBooster downloader.

T1583.006

Acquire Infrastructure: Web Services

OilRig has set up Microsoft Office 365 OneDrive and Outlook accounts, and possibly other Exchange accounts for use in C&C communications.

T1587.001

Develop Capabilities: Malware

OilRig has developed a variety of custom downloaders for use in its operations: SC5k versions, OilCheck, ODAgent, and OilBooster.

T1585.003

Establish Accounts: Cloud Accounts

OilRig operators have created new OneDrive accounts for use in their C&C communications.

T1585.002

Establish Accounts: Email Accounts

OilRig operators have registered new Outlook, and possibly other, email addresses for use in their C&C communications.

T1608

Stage Capabilities

OilRig operators have staged malicious components and backdoor commands in legitimate Microsoft Office 365 OneDrive and Outlook, and other Microsoft Exchange accounts.

Execution

T1059.003

Command and Scripting Interpreter: Windows Command Shell

SC5k v1 and v2 use cmd.exe to execute commands on the compromised host.

T1106

Native API

OilBooster uses the CreateProcessW API functions for execution.

Defense Evasion

T1140

Deobfuscate/Decode Files or Information

OilRig’s downloaders use string stacking to obfuscate embedded strings, and the XOR cipher to encrypt backdoor commands and payloads.

T1480

Execution Guardrails

OilRig’s OilBooster requires an arbitrary command line argument to execute the malicious payload.

T1564.003

Hide Artifacts: Hidden Window

Upon execution, OilBooster hides its console window.

T1070.004

Indicator Removal: File Deletion

OilRig’s downloaders delete local files after a successful exfiltration, and delete files or email drafts from the remote cloud service account after these have been processed on the compromised system.

T1202

Indirect Command Execution

SC5k v3 and OilCheck use custom command interpreters to execute files and commands on the compromised system.

T1036.005

Masquerading: Match Legitimate Name or Location

OilBooster mimics legitimate paths.

T1027

Obfuscated Files or Information

OilRig has used various methods to obfuscate strings and payloads embedded in its downloaders.

Discovery

T1082

System Information Discovery

OilRig’s downloaders obtain the compromised computer name.

T1033

System Owner/User Discovery

OilRig’s downloaders obtain the victim’s username.

Collection

T1560.003

Archive Collected Data: Archive via Custom Method

OilRig’s downloaders gzip compress data before exfiltration.

T1074.001

Data Staged: Local Data Staging

OilRig’s downloaders create central staging directories for use by other OilRig tools and commands.

Command and Control

T1132.001

Data Encoding: Standard Encoding

OilRig’s downloaders base64 decode data before sending it to the C&C server.

T1573.001

Encrypted Channel: Symmetric Cryptography

OilRig’s downloaders use the XOR cipher to encrypt data in C&C communication.

T1008

Fallback Channels

OilBooster can use a secondary channel to obtain a new refresh token to access the shared OneDrive account.

T1105

Ingress Tool Transfer

OilRig’s downloaders have the capability to download additional files from the C&C server for local execution.

T1102.002

Web Service: Bidirectional Communication

OilRig’s downloaders use legitimate cloud service providers for C&C communication.

Exfiltration

T1020

Automated Exfiltration

OilRig’s downloaders automatically exfiltrate staged files to the C&C server.

T1041

Exfiltration Over C2 Channel

OilRig’s downloaders use their C&C channels for exfiltration.

T1567.002

Exfiltration Over Web Service: Exfiltration to Cloud Storage

OilBooster and ODAgent exfiltrate data to shared OneDrive accounts.

T1567

Exfiltration Over Web Service

SC5k and OilCheck exfiltrate data to shared Exchange and Outlook accounts.