Focus Mode
Threat Research

Dark Web Profile: OilRig (APT34)

SocRadar
Dark Web Profile: OilRig (APT34)
OilRig, also known as APT34, is a state-sponsored APT group linked to Iranian intelligence, primarily targeting sectors like government, energy, finance, and telecommunications. Their sophisticated cyber-espionage tactics include spear-phishing and custom malware, making them a persistent threat across the Middle East and beyond. Affected: government, energy, financial, telecommunications sectors

Keypoints :

  • OilRig is a state-sponsored APT group associated with Iranian intelligence.
  • The group has been active since at least 2016, primarily targeting the Middle East.
  • OilRig employs advanced spear-phishing techniques and custom malware for cyber-espionage.
  • Their operations extend beyond the Middle East to Europe, North America, and Asia.
  • Key targets include government agencies, energy companies, telecommunications providers, and financial institutions.
  • OilRig uses a structured cyber kill chain model for its operations.
  • They leverage various MITRE techniques to achieve their objectives.
  • Defensive measures against OilRig include strengthening email security, regular system updates, and monitoring network activity.
  • SOCRadar offers threat intelligence and security solutions to counter threats from OilRig.

MITRE Techniques :

  • T1087.001 Account Discovery: Local Account – Used commands to get account listings on a victim.
  • T1087.002 Account Discovery: Domain Account – Used commands to get account listings on a victim.
  • T1071.001 Application Layer Protocol: Web Protocols – Used HTTP for Command and Control (C2).
  • T1071.004 Application Layer Protocol: DNS – Used DNS for C2, including tunneling services.
  • T1119 Automated Collection – Employed automated collection methods.
  • T1110 Brute Force – Utilized brute force techniques to obtain credentials.
  • T1059 Command and Scripting Interpreter – Used various scripting for execution.
  • T1059.001 PowerShell – Executed PowerShell scripts for various tasks.
  • T1059.003 Windows Command Shell – Delivered malware using batch scripts.
  • T1555 Credentials from Password Stores – Used tools like LaZagne for credential dumping.
  • T1048.003 Exfiltration Over Alternative Protocol – Exfiltrated data over FTP.
  • T1003.001 OS Credential Dumping: LSASS Memory – Used Mimikatz for credential theft.
  • T1566.001 Phishing: Spearphishing Attachment – Sent spearphishing emails with malicious attachments.
  • T1566.002 Phishing: Spearphishing Link – Sent spearphishing emails with malicious links.

Indicator of Compromise :

  • [file name] LaZagne
  • [file name] Mimikatz
  • [tool name] PowerShell
  • [tool name] ISMAgent
  • Check the article for all found IoCs.

Full Research: https://socradar.io/dark-web-profile-oilrig-apt34/

Tags: CREDENTIAL, PAYLOAD, HUNTING, SOCIAL ENGINEERING, EMAIL, EDR, MONITOR, SPOOFING