{ "id": "33abdc4c-fbf5-4fbd-bb56-e295c0fd814e", "created_at": "2026-04-06T00:08:40.971904Z", "updated_at": "2026-04-10T03:37:36.817Z", "deleted_at": null, "sha1_hash": "5254f6992877621f054e48b2155d64b514e0047f", "title": "Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford – ClearSky Cyber Security", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2111694, "plain_text": "Iranian Threat Agent OilRig Delivers Digitally Signed Malware,\r\nImpersonates University of Oxford – ClearSky Cyber Security\r\nPublished: 2017-01-05 · Archived: 2026-04-02 10:44:35 UTC\r\nIranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle\r\nEast since the end of 2015. In recent attacks they set up a fake VPN Web Portal and targeted at least five Israeli IT\r\nvendors, several financial institutes, and the Israeli Post Office.\r\nLater, the attackers set up two fake websites pretending to be a University of Oxford conference sign-up page and\r\na job application website. In these websites they hosted malware that was digitally signed with a valid, likely\r\nstolen code signing certificate\r\nBased on VirusTotal uploads, malicious documents content, and known victims – other targeted organisations are\r\nlocated in Turkey, Qatar, Kuwait, United Arab Emirates, Saudi Arabia, and Lebanon.\r\nFake VPN Web Portal\r\nIn one of the recent cases, the attackers sent the following email to individuals in targeted organisations:\r\nThe email was sent from a compromised account of an IT vendor. Similar emails were sent from other IT vendors\r\nin the same time period, suggesting the attackers had a foothold within their networks, or at least could get access\r\nto specific computers or email accounts.\r\nThe link provided in the malicious email led to a fake VPN Web Portal:\r\nhttps://www.clearskysec.com/oilrig/\r\nPage 1 of 10\n\nUpon logging in with the credentials provided in the email, the victim is presented with the following page:\r\nThe victim is asked to install the “VPN Client” (an .exe file), or, if download fails, to download a password\r\nprotected zip (with the same .exe file inside).\r\nThe “VPN Client” is a legitimate Juniper VPN software bundled with Helminth,  a malware in use by the OilRig\r\nthreat agnet:\r\nJuniperSetupClientInstaller.exe\r\n6a65d762fb548d2dc56cfde4842a4d3c (VirusTotal link)\r\nIf the victim downloads and installs the file, their computer would get infected, while the legitimate VPN software\r\nis installed. The legitimate and the malicious installations can be seen in the process tree when the file is run in a\r\nCuckoo sandbox. Malicious processes are marked red (click image to enlarge):\r\nThe following malicious files are dropped and run:\r\nhttps://www.clearskysec.com/oilrig/\r\nPage 2 of 10\n\nC:\\ProgramData\\{2ED05C38-D464-4188-BC7F-F6915DE8D764}\\OFFLINE\\9A189DFE\\C7B7C186\\main.vbs\r\ndcac79d7dc4365c6d742a49244e81fd0\r\nC:\\Users\\Public\\Libraries\\RecordedTV\\DnE.ps1\r\n7fe0cb5edc11861bc4313a6b04aeedb2\r\nC:\\Users\\Public\\Libraries\\RecordedTV\\DnS.ps1\r\n3920c11797ed7d489ca2a40201c66dd4\r\n“C:\\Windows\\System32\\schtasks.exe” /create /F /sc minute /mo 3 /tn “GoogleUpdateTasksMachineUI” /tr\r\nC:\\Users\\Public\\Libraries\\RecordedTV\\backup.vbs\r\n7528c387f853d96420cf7e20f2ad1d32\r\nCommand and control server is located in the following domain:\r\ntecsupport[.]in\r\nA detailed analysis of the malware is provided in two posts by Palo Alto networks and in a post by FireEye,\r\nwhich wrote about previous campaigns by this threat agent.\r\n(Note that Juniper networks was not compromised nor otherwise involved in the attack, except for the attackers\r\nusing its name and publicly available software).\r\nThe entire bundle (VPN client and malware) was digitally signed with a valid code signing certificate issued by\r\nSymantec to AI Squared, a legitimate software company that develops accessibility software:\r\nThumbprint: F340C0D841F9D99DBC289151C13391000366631C\r\nSerial number: 45 E4 7F 56 0B 01 B6 4E 68 39 5E 5D 79 2F 2E 09\r\nAnother Helminth sample, 1c23b3f11f933d98febfd5a92eb5c715, was signed with a different AI Squared code\r\nsigning certificate:\r\nThumbprint: 92B8C0872BACDC226B9CE4D783D5CCAD61C6158A\r\nSerial number:62 E0 44 E7 37 24 61 2D 79 4B 93 AF 97 46 13 48\r\nhttps://www.clearskysec.com/oilrig/\r\nPage 3 of 10\n\nThis suggest that the attackers had got a hold of an Ai Squared signing key, potentially after compromising their\r\nnetwork. Alternatively, the attackers might have got Symantec to issue them a certificate under Ai Squared’s\r\nname.\r\n[Update 11 February 2017: In a notification in its website, Ai Squared says that “The digital certificate used to\r\ncertify newer ZoomText and Window-Eyes software products has been compromised. As a result, our certificate\r\nwill be revoked on or around January 26th”]\r\nUniversity of Oxford impersonation\r\nThe attackers registered four domains impersonating The University of Oxford.\r\noxford-symposia[.]com, is a fake Oxford conference registration website. Visitors are asked to download the\r\n“University Of Oxford Job Symposium Pre-Register Tool”:\r\nThe downloaded file (which is also signed with an AI Squared certificate), is a fake registration tool built by the\r\nattackers:\r\nOxfordSymposiumRegTool.exe\r\nf77ee804de304f7c3ea6b87824684b33\r\nIf run by the victim, their computer would get infected, while they are shown this registration process:\r\nhttps://www.clearskysec.com/oilrig/\r\nPage 4 of 10\n\nhttps://www.clearskysec.com/oilrig/\r\nPage 5 of 10\n\nNote that after completing the “registration process”, the victim is asked to send the form to an email address\r\nin oxford-careers[.]com, which also belongs to the attackers.\r\nPreviously the fake website linked to the following documents in a third fake Oxford domain, oxford[.]in:\r\nhttp://oxford[.]in/downloads/ls1.doc\r\nhttp://oxford[.]in/downloads/ls2.doc\r\nhttp://oxford[.]in/downloads/ls3.doc\r\nhttp://oxford[.]in/downloads/ls4.do\r\nThe documents were unavailable during our research, and their content is unknown to us.\r\nThe attackers used a forth domain, oxford-employee[.]com, to host an “Oxford Job application” website:\r\nhttps://www.clearskysec.com/oilrig/\r\nPage 6 of 10\n\nVisitors are asked to “Download CV Creator” in order “To Join University of Oxford staff”. CV Creator is a\r\nmalicious file hosted at http://www.oxford-careers[.]com/Files/OxfordCVCreator.exe :\r\nOxfordCVCreator.exe\r\n5713c3c01067c91771ac70e193ef5419\r\nWhen run, the victim is again presented with a tool created by the attackers, this time a “University Of Oxford\r\nOfficial CV Creator”:\r\nhttps://www.clearskysec.com/oilrig/\r\nPage 7 of 10\n\nBoth samples mentioned in this section had the following domain used for command and control:\r\nupdater[.]li\r\nOther incidents\r\nIn an earlier incident, the attackers sent a malicious excel file impersonating Israir, an Israeli Airline  (the content\r\nof the file was copied from the company’s public website and we have no indication of it being compromised or\r\ntargeted):\r\nIsrael Airline.xls\r\n197c018922237828683783654d3c632a\r\nThe file had a macro that if enabled by the user would infect its computer.\r\nIn other incidents the attackers used the following files:\r\nSpecial Offers.xls / Salary Employee 2016.xls\r\nf76443385fef159e6b73ad6bf7f086d6\r\npic.xls\r\n3a5fcba80c1fd685c4b5085d9d474118\r\nhttps://www.clearskysec.com/oilrig/\r\nPage 8 of 10\n\nPeople List.xls\r\nbd7d2efdb2a0f352c4b74f2b82e3c7bc\r\ncv.xls\r\n72e046753f0496140b4aa389aee2e300\r\nusers.xls\r\n262bc259682cb48ce66a80dcc9a5d587\r\nEmployee Engagement Survey.xls\r\n726175e9aba421aa0f96cfc005664302\r\nJuniperSetupClientInstaller.exe\r\nf8ce7e356e09de6a48dca9e51421b6f6\r\nProject_Domain_No337.chm\r\n1792cdd0c5397ff5df445d73276d1a50 (undetected as malicious by any antivirus on VirusTotal)\r\ngcaa_report_series15561.chm\r\nd50ab63f4034c6f5eb356e3326320e66 (undetected as malicious by any antivirus on VirusTotal)\r\nInfrastructure overlap with Cadelle and Chafer\r\nIn December 2015, Symantec published a post about “two Iran-based attack groups that appear to be connected,\r\nCadelle and Chafer” that  “have been using Backdoor.Cadelspy and Backdoor.Remexi to spy on Iranian\r\nindividuals and Middle Eastern organizations”.\r\nBackdoor.Remexi, one of the malware in use by Chafer, had the following  command and control host:\r\n87pqxz159.dockerjsbin[.]com\r\nInterestingly, IP address  83.142.230.138, which serve as a command and control address for an OilRig related\r\nsample (3a5fcba80c1fd685c4b5085d9d474118), was pointed to by 87pqxz159.dockerjsbin[.]com as well.\r\nThis suggest that the two groups may actually be the same entity, or that they share resources in one why or\r\nanother.\r\nhttps://www.clearskysec.com/oilrig/\r\nPage 9 of 10\n\nIndicators of compromise\r\nIndicators file: oilrig-indicators.csv (also available on PassiveTotal)\r\nThe graph below depicts the OilRig infrastructure (click to enlarge):\r\nAcknowledgments\r\nThis research was facilitated by PassiveTotal for threat infrastructure analysis, and by MalNet for malware\r\nresearch . We would like to thank White-Hat, Tom Lancaster of Palo Alto Networks, Michael Yip of Stroz\r\nFriedberg, security researcher Marcus, and other security researchers and organizations who shared information\r\nand provided feedback.\r\nSource: https://www.clearskysec.com/oilrig/\r\nhttps://www.clearskysec.com/oilrig/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.clearskysec.com/oilrig/" ], "report_names": [ "oilrig" ], "threat_actors": [ { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "5d57e839-da14-44ab-b0dc-3a090f45ac4c", "created_at": "2022-10-25T16:07:23.42967Z", "updated_at": "2026-04-10T02:00:04.595465Z", "deleted_at": null, "main_name": "Cadelle", "aliases": [], "source_name": "ETDA:Cadelle", "tools": [ "Antak", "Cadelle", "Cadelspy", "WinSpy" ], "source_id": "ETDA", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "bee22874-f90e-410b-93f3-a2f9b1c2e695", "created_at": "2022-10-25T16:07:23.45097Z", "updated_at": "2026-04-10T02:00:04.610108Z", "deleted_at": null, "main_name": "Chafer", "aliases": [ "APT 39", "Burgundy Sandstorm", "Cobalt Hickman", "G0087", "ITG07", "Radio Serpens", "Remix Kitten", "TA454" ], "source_name": "ETDA:Chafer", "tools": [ "ASPXSpy", "ASPXTool", "Antak", "CACHEMONEY", "EternalBlue", "HTTPTunnel", "LOLBAS", "LOLBins", "Living off the Land", "MechaFlounder", "Metasploit", "Mimikatz", "NBTscan", "NSSM", "Non-sucking Service Manager", "POWBAT", "Plink", "PuTTY Link", "Rana", "Remcom", "Remexi", "RemoteCommandExecution", "SafetyKatz", "UltraVNC", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "nbtscan", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "1ba5f718-ad64-492c-8a95-e21a46516d22", "created_at": "2023-01-06T13:46:38.524357Z", "updated_at": "2026-04-10T02:00:03.011902Z", "deleted_at": null, "main_name": "Cadelle", "aliases": [], "source_name": "MISPGALAXY:Cadelle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434120, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5254f6992877621f054e48b2155d64b514e0047f.pdf", "text": "https://archive.orkl.eu/5254f6992877621f054e48b2155d64b514e0047f.txt", "img": "https://archive.orkl.eu/5254f6992877621f054e48b2155d64b514e0047f.jpg" } }