OilRig targets over 20 countries and attacks a diverse range of sectors including aerospace and defense BFSI (banking, financial services, and insurance), chemicals, education, energy and utilities, government and law enforcement agencies, hospitality, IT and ITES (information technology and IT-enabled services), technology, and telecommunications. They employ customizable attack vectors often starting with spear-phishing or exploiting public-facing applications to deliver malware for data exfiltration. The group is suspected to have links with another cyber espionage group, Greenbug, and is known for exploiting unpatched SharePoint servers.

One of OilRig's notable tactics involves LinkedIn-based phishing, where they masquerade as Cambridge University members to exploit vulnerabilities like CVE-2019-0604 and CVE-2017-11882. For persistence, they use malicious loaders, VBScript, or scheduled tasks, and their arsenal includes various Remote Access Trojans (RATs) such as Alma Communicator and BONDUPDATER. The group also employs living-off-the-land tactics, attacking public-facing applications by linking IPs and domains from previous attacks which demonstrates their adaptability and extensive reach in the cyber espionage landscape.

OilRig's toolkit is extensive and includes tools like Clayslide, DistTrack, DNSExfiltrator, DNSpionage, Dustman, Fox Panel, Helminth, ISMAgent, ISMDoor, ISMInjector, Karkoff, Mimikatz, LaZagne, LIONTAIL, LONGWATCH, SideTwist, Neuron, Nautilus, PICKPOCKET, Plink, PsList, RDAT, Saitama and SpyNote RAT.

They specialize in secret command-and-control (C&C) communication using methods such as targeted exchange servers, HTPSnoop implants, HTTP and DNS queries, and protocol tunneling for stealthy network communications. Their continuous development and deployment of advanced tools and techniques underscore their status as a formidable and persistent threat in cyber espionage.

Impact

• Data Exfiltration
• Cyber Espionage
• Data Loss
• Sensitive Data Theft

Remediation

• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets
• Change all passwords on compromised accounts and systems. Implement strong, unique passwords and consider implementing multi-factor authentication (MFA) to enhance security.
• Continuously monitor network traffic and system logs for suspicious activity, using intrusion detection and prevention systems.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Maintain daily backups of all computer networks and servers.
• Keep all software, operating systems, and applications up to date with the latest security patches.
• Continuously monitor network and system logs for unusual or suspicious activities.
• Deploy security information and event management (SIEM) solutions to centralize log analysis