{ "id": "29352511-355d-41f2-a31c-a331a13c5371", "created_at": "2026-04-06T00:07:04.323538Z", "updated_at": "2026-04-10T03:37:36.799328Z", "deleted_at": null, "sha1_hash": "0ae21bb347ac6139bcb3b1065b26da8ffc828af0", "title": "OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1154199, "plain_text": "OilRig Group Steps Up Attacks with New Delivery Documents and\r\nNew Injector Trojan\r\nBy Robert Falcone, Bryan Lee\r\nPublished: 2017-10-09 · Archived: 2026-04-05 13:43:42 UTC\r\nUnit 42’s ongoing research into the OilRig campaign shows that the threat actors involved in the original attack\r\ncampaign continue to add new Trojans to their toolset and continue their persistent attacks in the Middle East.\r\nWhen we first discovered the OilRig attack campaign in May 2016, we believed at the time it was a unique attack\r\ncampaign likely operated by a known, existing threat group. As we have progressed in our research and uncovered\r\nadditional attack phases, tooling, and infrastructure as discussed in our recent posting “Striking Oil: A Closer\r\nLook at Adversary Infrastructure”, it has become apparent that the threat group responsible for the OilRig attack\r\ncampaign is likely to be a unique, previously unknown adversary. Additionally, others have been referring to the\r\ngroup responsible for the OilRig campaign itself as the OilRig group as well. To that end, we are elevating the\r\nOilRig attack campaign to be known as the OilRig group.\r\nIn July 2017, we observed the OilRig group using a tool they developed called ISMAgent in a new set of targeted\r\nattacks. The OilRig group developed ISMAgent as a variant of the ISMDoor Trojan. In August 2017, we found\r\nthis threat group has developed yet another Trojan that  they call ‘Agent Injector’ with the specific purpose of\r\ninstalling the ISMAgent backdoor. We are tracking this tool as ISMInjector. It has a sophisticated architecture and\r\ncontains anti-analysis techniques that we have not seen in previous tools developed by this threat group. The\r\ncomplex structure and inclusion of new anti-analysis techniques may suggest that this group is increasing their\r\ndevelopment efforts in order to evade detection and gain higher efficacy in their attacks.\r\nThe Attack\r\nOn August 23, 2017, we observed OilRig targeting an organization within the United Arab Emirates government.\r\nThe attack involved a spear-phishing email that had a subject of “Importan Issue” and two Zip archives attached,\r\nas seen in Figure 1. Note that “Important” is misspelled in the sample as shown below.\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/\r\nPage 1 of 12\n\nFigure 1 Delivery email that contains two Zip archives that contain the malicious delivery documents\r\nThe message body in the attack email contains an image that is hosted on a remote server. As shown in Figure 2,\r\nhovering over the image shows that the URL link is to an image hosted at “www.cdnakamaiplanet[.]com” which\r\nwe have reason to believe is an adversary owned domain. It is likely that the image was embedded to track if the\r\nrecipient opened the email or not.\r\nFigure 2 URL associated with image included in delivery email\r\nAnother interesting facet of this attack is that the email addresses in the “To” and “From” fields are from\r\naddresses from the same domain. Our initial assumption was that the email address in the “From” field was likely\r\nspoofed. Additional analysis of the email headers revealed that it did not contain a list of external email servers\r\nused to deliver the message as expected from a spoofed email; instead, we discovered the following string within\r\nthe email headers:\r\nClient=OWA;Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04;\r\nThis string in the header suggests that the OilRig actor is likely to have used the targeted organization’s Outlook\r\nWeb Access (OWA) to send the phishing email using Firefox 36.\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/\r\nPage 2 of 12\n\nUsing information from our research in the Striking Oil blog, we know the OilRig group has conducted credential\r\nharvesting campaigns specifically by emulating OWA login sites. Based on that research and this observation, we\r\npostulate that the OilRig group gathered credentials to a legitimate user’s OWA account and logged into the user’s\r\naccount to send phishing attacks to other individuals within the same, targeted organization. Also, Firefox 36 was\r\nreleased in February 2015; since this email was sent August 2017, we believe it suggests the actors are using an\r\noutdated version of Firefox to log into the target organization’s OWA.\r\nThe Delivery\r\nThe August 23, 2017 phishing attack contained two Zip archives to the email, “Issue-doc.zip” and “Issue-doc1.zip”. Each Zip attachment contains one file, with “Issue.doc” within “Issue-doc.zip” and “Issue.dot” within\r\n“Issue-doc1.zip”. The “Issue.doc” and “Issue.dot” files are both malicious documents that will attempt to run in\r\nMicrosoft Word.\r\nIssue.doc is a Word document that contains a malicious macro that the actors attempt to trick the victim into\r\nexecuting by instructing the user to click the Enable Content button as shown in Figure 3. We track this malicious\r\ndelivery document as ThreeDollars.\r\nFigure 3 Malicious “ThreeDollars” Microsoft Word Document\r\nOnce enabled, the macro reads in the initial document, searches the data for a delimiter of \"###$$$\" to find the\r\nbase64 encoded payload then writes the encoded payload to the file %APPDATA%\\Base.txt. The following shows\r\na hexdump of the delimiter followed by the encoded payload:\r\n00088200  23 23 23 24 24 24 54 56  71 51 41 41 4d 41 41 41  |###$$$TVqQAAMAAA|\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/\r\nPage 3 of 12\n\n00088210 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 |AEAAAA//8AALgAAA|\n00088220 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 |AAAAAAQAAAAAAAAA|\n00088230 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA|\n..snip..\nThe macro runs a PowerShell command that will decode the contents of the %APPDATA%\\Base.txt file and save\nit to the file %PUBLIC%\\Libraries\\servicereset.exe, which it will then execute. The “servicereset.exe” file is a\nnew tool in OilRig’s arsenal that we call ISMInjector, which we will discuss in detail in the next section.\nIssue.dot is a file that attempts to exploit CVE-2017-0199 Microsoft Word Office/WordPad Remote Code\nExecution Vulnerability using the following code:\nAs displayed by the code example above, Index.dot file attempts to load a malicious exploit document hosted at\n“msoffice-cdn[.]com”, which is the same URL that hosted the exploit document used in an attack that ClearSky\npublished on August 28, 2017. By correlating artifacts found in Index.dot, we discovered another sample\nattempting to exploit CVE-2017-0199 used in a separate attack, this time using “office365-management[.]com” as\nthe C2 domain.\nThe resulting payload from this related delivery document is an ISMAgent Trojan that is configured to use\n“msoffice365update[.]com” as its C2 server. Please reference our previous blog on ISMAgent for more\ninformation on this Trojan.\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/\nPage 4 of 12\n\nISMInjector\r\nUltimately, the payload delivered by ThreeDollars is a new tool that we track as ISMInjector. As its name\r\nsuggests, ISMInjector is a Trojan that is responsible for injecting a Trojan into another process. The payload\r\nembedded within the ISMInjector sample delivered in this attack is a variant of the ISMAgent backdoor that we\r\nhad discussed in detail in our blog discussing a targeted attack on a Saudi Arabian technology company.\r\nAt face value, ISMInjector is obfuscated with the off-the-shelf SmartAssembly .NET obfuscator created by red-gate.com. The first execution of ISMInjector starts by copying itself to %localappdata%\\srvBS.txt and enables\r\npersistent access to the system. The code achieves persistence by referencing two resources that contain\r\ncommands the code will execute by running them within a command prompt process, as seen in the following\r\nscreenshot:\r\nThe two resources that contain commands that ISMInjector uses for persistence are named “Tsk1” and “Tsk2”.\r\nThe specific commands within each of these resources are within Table 1. At a high level, the“Tsk1” command\r\ncreates a scheduled task named “ReportHealth” that is meant to run a payload saved to\r\n\"%localappdata%\\srvHealth.exe” every 4 minutes. The “Tsk2” command creates a scheduled task that runs every\r\n2 minutes that is responsible for saving the payload to srvHealth.exe. This task saves the payload to this location\r\nusing the “certutil” command to decode the original payload saved to “srvBS.txt”.\r\nResource\r\nName\r\nResource Value\r\nTsk1\r\nSchTasks /Create /SC MINUTE /MO 4 /TN \\\"ReportHealth\\\" /TR\r\n\\\"%localappdata%\\\\srvHealth.exe\\\" /f\r\nTsk2\r\nSchTasks /Create /SC MINUTE /MO 2 /TN \\\"LocalReportHealth\\\" /TR \\\"cmd.exe /c certutil -\r\ndecode %localappdata%\\\\srvBS.txt %localappdata%\\\\srvHealth.exe \u0026\u0026 schtasks /DELETE /tn\r\nLocalReportHealth /f \u0026\u0026 del %localappdata%\\\\srvBS.txt\\\"\"\r\nTable 1 Resources in ISMInjector containing commands for persistence\r\nSubsequent executions of the ISMInjector sample from srvHealth.exe will execute its functional code.\r\nISMInjector’s functional code is split into two different embedded modules named Inner.dll and Joiner.dll that\r\nwork in conjunction to inject an embedded ISMAgent payload into another process. The two modules, which we\r\nwill refer to as Joiner and Inner, have the following debug paths, which suggest the author of these modules refer\r\nto this Trojan as “Agent Injector”:\r\nC:\\Users\\J-Win-10\\Desktop\\Agent Injector\\PolicyConverter\\Inner\\obj\\Release\\Inner.pdb\r\nC:\\Users\\J-Win-10\\Desktop\\Agent Injector\\PolicyConverter\\Joiner\\obj\\Release\\Joiner.pdb\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/\r\nPage 5 of 12\n\nThe main function within the ISMInjector assembly uses the Joiner module to construct the final payload and the\r\nInner module to inject the final payload into a process. Figure 4 shows the ISMInjector’s main function that uses\r\nthe two modules to carry out its injection process before exiting.\r\nFigure 4 ISMInjector's main function uses methods within the Joiner and Inner modules\r\nThe Joiner module contains four resources named P11, P12, P21 and P22, which are all 35840 bytes of binary\r\ndata. It reads the P11 and P12 resources and saves them to a variable, effectively concatenating them together. The\r\nmodule uses the same logic to concatenate the P21 and P22 resources together, and finally concatenates the\r\nP11+P12 variable with the P21+P22 variable, which results in the construction of a binary executable.\r\nThe ISMInjector code then calls the \"LoadDll\" method within the Inner module, providing the string \"Run\", the\r\npayload constructed by the Joiner module, and a path to the \"RegAsm.exe\" executable as arguments, as seen in\r\nFigure 4.\r\nThe LoadDLL method constructs an embedded assembly, using the same method as the Joiner module used to\r\nconstruct the final payload. However, the Inner module creates another module that is used to actually perform the\r\ncode injection. To create this embedded module, the Inner module references two resources named D1 and D2 and\r\nconcatenates them together. The resulting .NET assembly has a class called \"ClsV2\" that has a method named\r\n\"Run\", which is called in the LoadDll function call shown in Figure 4. The \"Run\" method within the “ClsV2”\r\nclass is invoked to execute the payload.\r\nThe \"Run\" method calls functions that has a state machine that dictates the actions taken. At a high level, these\r\nstate machines attempt to create a process and inject the constructed payload into the newly created process. The\r\nuse of state machines complicates analysis efforts because it makes the flow of execution jump around in a non-sequential fashion.\r\nTable 2 contains the path through the state machines that ISMInjector uses to create a remote process, inject its\r\nembedded payload then run the payload. Each row of the table contains the current state, a description of the\r\nactivities performed within that state, as well as the next state that will be set and run. The state values jump\r\naround dramatically, which requires an analyst to also jump around the code to determine its functionality. This is\r\nan interesting anti-analysis technique we have not seen the OilRig actors use in their other tools.\r\nState Description\r\nNext\r\nState\r\n19 Initializes array 10\r\n10 Initializes array 6\r\n6 Initializes array 3\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/\r\nPage 6 of 12\n\n3 Initializes array 14\r\n14 Initializes array 15\r\n15 Initializes array 16\r\n16 Initializes array 12\r\n12 Initializes array 18\r\n18 Initializes array 8\r\n8 Initializes array 25\r\n25 Initializes array 1\r\n1 Initializes array 4\r\n4 Resolves the CreateProcessA function 21\r\n21 Resolves the SetThreadContext function 26\r\n26 Resolves the GetThreadContext function 17\r\n17 Resolves the ReadProcessMemory function 27\r\n27 Resolves the WriteProcessMemory function 24\r\n24 Resolves the NtUnmapViewOfSection function 7\r\n7 Resolves the VirtualAllocEx function 0\r\n0 Resolves the ResumeThread function 23\r\n23\r\nFormats a text string as \"{0}\", which is the path\r\nto the “RegAsm.exe” executable\r\n5\r\n5 Instantiates a STARTUPINFO structure 22\r\n22\r\nInstantiates a PROCESS_INFORMATION\r\nstructure\r\n11\r\n11\r\nSets the size (cb field) of the STARTUPINFO\r\nstructure\r\n20\r\n20\r\nEnters another state machine to handle the\r\nexecution of a process\r\n29\r\nEnter sub-state machine\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/\r\nPage 7 of 12\n\n7\r\nConcatenates the path to the “RegAsm.exe” with a space and a second string, which\r\nin this sample is empty\r\n37\r\n37\r\nCalls the CreateProcessA function using the concatenated string created in previous\r\nstate. The CREATE_SUSPENDED flag is used in this API function call to create the\r\nprocess in a suspended state.\r\n44\r\n44 Creates a variable to store the process’ ImageBase 19\r\n19 Creates a thread CONTEXT structure 14\r\n14\r\nSets the first index in the context structure to 65538, which sets the ContextFlags\r\nvalue in the structure to CONTEXT_INTEGER\r\n10\r\n10 Checks the value of IntPtr.Size to determine x86 or x64 process. 27 or 23\r\n27\r\nCalls GetThreadContext to get the context of the suspended thread in the newly\r\ncreated and suspended process. It then stores the EBX register in the suspended\r\nthread into a variable\r\n23\r\n23\r\nCalls ReadProcessMemory to read EBX+8 in the suspended process to get the base\r\naddress of the process. It then creates a variable to store the SizeOfImage from the\r\nPE header of the payload it intends to inject into the process\r\n22\r\n22\r\nCreates a variable to store the SizeOfHeaders value from the PE header of the\r\npayload it intends to inject into the process\r\n25\r\n25\r\nCalls VirtualAllocEx to create a new buffer in the suspended process at the base\r\naddress of the process\r\n41\r\n41\r\nIt calls WriteProcessMemory to write the PE header of the payload to the buffer\r\ncreated at the base address of the suspended process.\r\n31\r\n31\r\nEnters a loop in the state machine to effectively write the embedded payload section\r\nby section to the allocated buffer. Does so by setting a counter to 0 that will be\r\ncompared to NumberOfSections in each iteration of the loop\r\n45\r\n45 Sets a variable for the VirtualAddress of the PE section 29\r\n29 Sets a variable for the SizeOfRawData of the PE section 28\r\n28 Sets a variable for the PointerToRawData of the PE section 2\r\n2\r\nIf SizeOfRawData variable is 0 it moves onto the next section by going to state 30,\r\nelse it goes to state 20\r\n30 or 20\r\n30 Increments counter to compare to NumberOfSections\r\n38 (same\r\nas 45)\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/\r\nPage 8 of 12\n\n20 Creates a byte array with a size of SizeOfRawData for the SectionData 21\r\n21 Copies bytes from the embedded payload to the SectionData buffer 36\r\n36\r\nWrites the SectionData buffer to the correct VirtualAddress within the remote\r\nprocess memory.  If WriteProcessMemory succeeds, it continues in the loop by going\r\nto state 30. Otherwise, after all the sections are written to the remote process, state 13\r\nis chosen\r\n30 or 13\r\n13\r\nSets a variable to store the new base address of the payload copied into the remote\r\nprocess memory.\r\n18\r\n18\r\nSets the EIP value within the CONTEXT structure to store the AddressOfEntryPoint\r\nof the injected payload\r\n0\r\n0 Checks to see if the process is x86 or x64 based on the inPtr size being 4.\r\n16 (x86) or\r\n33 (x64)\r\n16 or\r\n33\r\nCalls SetThreadContext using the CONTEXT structure with the new entrypoint to\r\nthe injected payload and calls ResumeThead to run the suspended thread. This\r\neffectively runs the injected payload in the process space of RegAsm.exe.\r\nEnd of sub-state\r\nmachine\r\nResumes initial state machine\r\n29 Ends the function by returning End\r\n Table 2 State machines used by ISMInjector to inject and execute its payload in another process\r\nThe executable injected into the RegAsm.exe process is a variant of the ISMAgent Trojan, which is very similar in\r\nbehavior to the ISMAgent payload discussed in our previous blog. This ISMAgent payload is configured to use\r\n“cdnmsnupdate[.]com” as its C2 server using both HTTP and DNS tunneling channels.\r\nIt appears the OilRig group may have simply repurposed the injection code from an open source file called\r\nDynamicCallRunPE.cs, which is available on GitHub and Codegists.  The actors did not use this code without\r\nmodification; instead, they used state machines as an obfuscation technique to disguise the injection code.\r\nThe path that ISMInjector takes through the state machine and the activities are almost identical to the activities\r\ncarried out in the DynamicCallRunPE.cs code. It is also possible that this portion of the ISMInjector was\r\nobfuscated by a crypter that the threat actors used to further complicate analysis.\r\nInfrastructure\r\nBeginning with the initial phishing email, we discovered a significant infrastructure for this attack wave that also\r\nshowed relationships to previous Oilrig attack campaigns both from an infrastructure perspective and shared code.\r\nMuch like previous Oilrig attacks, the C2 domains used typo-squatting techniques in order to attempt to evade\r\ndetection. The image embedded within the phishing email is hosted on cdnakamaiplanet[.]com, which resolves to\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/\r\nPage 9 of 12\n\n82.102.14.216. As with other OilRig attacks, this IP is not reused to resolve to any other domain. However, two\r\nother IPs on the same /24 netblock are found to be used as C2s. 82.102.14.222 is found to resolve to Microsoft-publisher[.]com, which we observed as a C2 for our initial ISMAgent finding. 82.102.14.246 resolves to\r\nadpolioe[.]com, hich appears to be a typo-squatted domain that also hosts a sample of ISMAgent at\r\nhxxp://82.102.14[.]246/webdav/aws.exe. This sample’s C2 is cdnmsnupdate[.]com which turns out to be the C2\r\nserver for three other samples, one ISMAgent and two of them being ISMAgentInjector. Reverse resolution of this\r\ndomain provides us the IP 74.91.19.122, which again is not used for any other domain resolution. Another IP on\r\nthe same /24 is found at 74.91.19.108 resolving to msoffice365update[.]com which happens to be the C2 domain\r\nfor the ISMAgent payload delivered by the malicious document exploiting CVE-2017-1099 mentioned earlier in\r\nthis blog.\r\nAs previously discussed, the .dot file attempting to exploit CVE-2017-0199 uses msoffice-cdn[.]com as a C2 to\r\nretrieve additional malicious code. Reverse resolution of this domain shows an IP of 185.162.235.121, which\r\nshares a /24 netblock with 185.162.235.29. This IP resolves to office365-management[.]com which is the C2 for a\r\nsecondary .dot file we were able to collect in this attack wave. In figure 5 below you can see the OilRig\r\ninfrastructure for ISMInjector that our research uncovered.\r\nFigure 5 OilRig infrastructure for ISMInjector\r\nConclusion\r\nThe OilRig group continues to target organizations in the Middle East, in this instance targeting the government of\r\nthe United Arab Emirates. They continue to use the ISMAgent Trojan as the final payload in their attacks, this\r\ntime in conjunction with a custom injector Trojan to assist with delivery and execution. The injector Trojan was\r\nobfuscated using a known crypter and used state-machines as an anti-analysis technique to complicate its process\r\nto inject the payload into another process. The use of crypters and anti-analysis techniques suggests that the threat\r\nactors are increasing their efforts to evade security products to successfully compromise its targets.\r\nAs our research continues to expand into the OilRig group, we are continuously discovering new infrastructure\r\nwhich directly overlaps with previously used infrastructure. With the addition of the reuse of tools, similar attack\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/\r\nPage 10 of 12\n\nprotocols, as well as consistent victimology, we have strong confidence that the original OilRig attack campaign is\r\nindeed a single, unique, and previously unknown threat group that will hereby be referred to as the OilRig group.\r\nPalo Alto Networks customers are protected from ISMInjector, ISMAgent and ThreeDollars by the following:\r\nAll ISMInjector, ISMAgent and ThreeDollars samples are marked with a malicious verdict in WildFire\r\nAutoFocus customers can track these malware families via:\r\nISMInjector\r\nISMAgent\r\nThreeDollars\r\nIndicators of Compromise\r\nThreeDollars SHA256\r\n119c64a8b35bd626b3ea5f630d533b2e0e7852a4c59694125ff08f9965b5f9cc\r\nISMInjector SHA256\r\n33c187cfd9e3b68c3089c27ac64a519ccc951ccb3c74d75179c520f54f11f647\r\nISMAgent SHA256\r\n74f61b6ff0eb58d76f4cacfb1504cb6b72684d0d0980d42cba364c6ef28223a8\r\nISMAgent C2\r\ncdnmsnupdate[.]com\r\nRelated CVE-2017-0199 SHA256\r\n66358a295b8b551819e053f2ee072678605a5f2419c1c486e454ab476c40ed6a\r\nRelated CVE-2017-0199 Domains\r\nmsoffice-cdn[.]com\r\noffice365-management[.]com\r\nAdditional Hashes\r\nf92ab374edd488d85f2e113b40ea8cb8baf993f5c93c12455613ad3265f42b17 (CVE-2017-0199)\r\nfcad263d0fe2b418db05f47d4036f0b42aaf201c9b91281dfdcb3201b298e4f4 (ISMInjector)\r\n0ccb2117c34e3045a4d2c0d193f1963c8c0e8566617ed0a561546c932d1a5c0c (ThreeDollars)\r\na9f1375da973b229eb649dc3c07484ae7513032b79665efe78c0e55a6e716821 (ISMAgent)\r\n963f93824d87a56fe91283652eab5841e2ec538c207091dbc9606b962e38805d (ISMAgent)\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/\r\nPage 11 of 12\n\nAdditional Domains\r\nntpupdateserver[.]com\r\ncdnakamaiplanet[.]com\r\nmsoffice365update[.]com\r\nadpolioe[.]com\r\nMicrosoft-publisher[.]com\r\nSource: https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/\r\nPage 12 of 12\n\nbase64 encoded a hexdump of payload then writes the delimiter followed the encoded by the encoded payload to the payload: file %APPDATA%\\Base.txt. The following shows\n00088200 23 23 23 24 24 24 54 56 71 51 41 41 4d 41 41 41 |###$$$TVqQAAMAAA|\n Page 3 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/" ], "report_names": [ "unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan" ], "threat_actors": [ { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434024, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0ae21bb347ac6139bcb3b1065b26da8ffc828af0.pdf", "text": "https://archive.orkl.eu/0ae21bb347ac6139bcb3b1065b26da8ffc828af0.txt", "img": "https://archive.orkl.eu/0ae21bb347ac6139bcb3b1065b26da8ffc828af0.jpg" } }