Based on open-source intelligence, the ATT&CK ® Evaluations team created the below scenario leveraging techniques seen from OilRig in the wild. We have adapted the scenario based on tools and resources available at the time.
Objectives: OilRig is a cyber threat actor with operations aligning to the strategic objectives of the Iranian government. 1 2 OilRig has been operational since at least 2014 and has a history of widespread impact, with operations directed against financial, government, energy, chemical, telecommunications and other sectors around the globe. 3 OilRig commonly leverages spearphishing and social engineering tactics in their operations, as well as PowerShell backdoors. 4 5 6 The group continues to evolve its tradecraft to evade detection, and utilizes a combination of proprietary malware, customized versions of publicly available tools, and off-the-shelf, multi-purpose software.
Associated Groups: COBALT GYPSY, IRN2, APT34, Helix Kitten
This scenario follows OilRig’s multi-phase approach to exfiltrating sensitive data from a targeted server. OilRig leverages spearphishing to gain initial access onto an administrator’s workstation and deploys their SideTwist malware. Once persistence is established on the victim network, the attackers will escalate privileges and move laterally onto an EWS server. Further enumeration of the EWS server will lead to OilRig’s identification of a SQL server storing confidential critical infrastructure data. Characteristics of this campaign include: custom webshells, Windows and Microsoft 365 exploitation, and key attacker objective on obtaining control of the SQL server to steal victim files.
The Resources Folder contains the emulated software source code.
The Binaries.zip contains all executables in one zip file for easy download. The password is malware
.
All other pre-built executables have been removed. To rebuild the binaries, follow the documentation for the respective binary. A build script has been provided for building all binaries on a Kali Linux host.
This scenario also utilizes Mimikatz
, Plink
and PsExec
as payloads:
YARA rules are provided to assist the community in researching, preventing, and detecting malware specimens used in this emulation plan.
-
SideTwist- SideTwist is a C-based backdoor that has been used by OilRig since at least 2021 and is purposed for downloading, uploading, command execution, and persistence.
-
TwoFace - TwoFace is a webshell written in C# used by OilRig for lateral movement since at least 2017.
-
VALUEVAULT - VALUEVAULT is a Golang version of the Windows Vault Password Dumper credential theft tool developed by Massimiliano Montoro and has been used by OilRig since at least 2019.
-
RDAT - RDAT is a backdoor used by OilRig for data collection and exfiltration since at least 2017.
- Emulation Scenario - Step by step walkthrough of scenario's procedures.
- Operation Flow - High-level summary of the scenario & infrastructure with diagrams.
- Intelligence Summary - General overview of the Adversary with links to reporting used throughout the scenario.
We 💖 feedback! Let us know how using ATT&CK Evaluation results has helped you and what we can do better.
Email: evals@mitre-engenuity.org
Twitter: https://twitter.com/MITREengenuity
LinkedIn: https://www.linkedin.com/company/mitre-engenuity/
This content is only to be used with appropriate prior, explicit authorization for the purposes of assessing security posture and/or research.
© 2022 MITRE Engenuity. Approved for Public Release. Document number AT0037.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
This project makes use of ATT&CK®