{ "id": "a8865c3a-44f1-4764-a7ef-19ec4cb98ff5", "created_at": "2026-04-06T00:21:04.642325Z", "updated_at": "2026-04-10T13:12:19.307083Z", "deleted_at": null, "sha1_hash": "5c8c8b4b2f1d685ebecd7d5010c83c8e43e3951f", "title": "OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 709778, "plain_text": "OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan\r\nBy Robert Falcone\r\nPublished: 2017-11-08 · Archived: 2026-04-05 16:44:01 UTC\r\nUnit 42 has been closely tracking the OilRig threat group since May 2016. One technique we’ve been tracking\r\nwith this threat group is their use of the Clayslide delivery document as attachments to spear-phishing emails in\r\nattacks since May 2016. In our April 2017 posting OilRig Actors Provide a Glimpse into Development and Testing\r\nEfforts we showed how we observed the OilRig threat group developing and refining these Clayside delivery\r\ndocuments.\r\nRecently, we observed a new version of the Clayslide delivery document used to install a new custom Trojan\r\nwhose developer calls it “ALMA Communicator”. The delivery document also saved the post-exploitation\r\ncredential harvesting tool known as Mimikatz, which we believe the threat actors will use to gather account\r\ncredentials from the compromised system. While we do not have detailed telemetry, we have reason to believe this\r\nattack targeted an individual at a public utilities company in the Middle East.\r\n  New Clayslide Delivery Document\r\nThe most recent build of Clayslide operates in a similar way to its predecessors, as it initially displays an\r\n\"Incompatible\" worksheet that states that the Excel file was created with a newer version of Excel and the user\r\nneeds to \"Enable Content\" to view the document. If the user clicks \"Enable Content\", a malicious macro will run\r\nthat begins by displaying a hidden worksheet that contains decoy contents, as seen in the following:\r\nWhile the decoy is displayed to the victim, the malicious macro accesses data from specific cells in the\r\n\"Incompatible\" worksheet that it concatenates to create an .HTA file, which it then saves\r\nto %PUBLIC%\\tmp.hta and opens with the mshta.exe application. The .HTA file contains HTML that will run a\r\nVBScript that finally installs the malicious payload for this attack.\r\nThe payload installation process begins with the .HTA file creating a folder named %PUBLIC%\\{5468973-4973-\r\n50726F6A656374-414C4D412E-2}, to which it writes three files with the following names:\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/\r\nPage 1 of 6\n\nSystemSyncs.exe\r\nm6.e\r\ncfg\r\nThe .HTA file contains two encoded executables that it will decode and write to m6.e and SystemSyncs.exe. The\r\n.HTA file contains a base64 encoded configuration that it decodes and saves to the cfg file, which the Trojan will\r\nuse to obtain the C2 domain that it will use to communicate with the threat actor. The C2 domain saved to the cfg\r\nfile in this attack is prosalar[.]com.\r\nThe SystemSyncs.exe file (SHA256:\r\n2fc7810a316863a5a5076bf3078ac6fad246bc8773a5fb835e0993609e5bb62e) is a custom Trojan created by the\r\nOilRig group called “ALMA Communicator”, which we will describe in detail in the next section.\r\nThe \"m6.e\" file dropped by the .HTA file is a variant of Mimikatz (SHA256:\r\n2d6f06d8ee0da16d2335f26eb18cd1f620c4db3e880efa6a5999eff53b12415c) tool. We have seen the OilRig threat\r\ngroup using Mimikatz for credential gathering during its post-exploitation activities, however, this is the first time\r\nwe have observed the threat group delivering Mimikatz during the delivery phase of the attack. We believe the\r\nClayslide delivery document dropped this additional tool based on the limitations of ALMA Communicator’s C2\r\nchannel, which we will describe later in this report.\r\nThe VBScript in the .HTA file executes the SystemSyncs.exe payload and achieves persistent execution by\r\ncreating a scheduled task. Unlike past Clayslide documents that create a scheduled task via the schtask application\r\nvia the command prompt, the VBScript programmatically creates the task using the Schedule.Service object. The\r\nscheduled task created, as seen in Figure 1, shows that the payload will be executed every two minutes with the\r\ncommand line argument \"Lock\".\r\nFigure 1 Scheduled task created by Clayslide to execute the ALMA Communicator payload\r\nALMA Communicator Trojan\r\nThe ALMA Communicator Trojan is a backdoor Trojan that uses DNS tunneling exclusively to receive commands\r\nfrom the adversary and to exfiltrate data. This Trojan specifically reads in a configuration from the cfg file that\r\nwas initially created by the Clayslide delivery document. ALMA does not have an internal configuration, so the\r\nTrojan does not function without the cfg file created by the delivery document.\r\nAfter reading in its configuration, the Trojan creates two folders for staging, named Download and Upload.\r\nALMA uses the Download folder to save batch files provided by the C2 server, which it will eventually run.\r\nALMA uses the Upload folder to store the output of the executed batch files, which it will eventually exfiltrate to\r\nthe C2 server.\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/\r\nPage 2 of 6\n\nALMA Communicator uses DNS tunneling as its C2 communication channel using a specific protocol that uses\r\nspecially crafted subdomains to transmit data to the C2 server and specific IPv4 addresses to transmit data from\r\nthe C2 to the Trojan. The transmission of information from the Trojan to the C2 server occurs through DNS\r\nrequests to resolve specially crafted subdomains on the configured C2 domain.\r\nTo build these specially crafted subdomains, the Trojan generates a random four-digit number and concatenates a\r\nhardcoded string of ID. The Trojan then appends a unique identifier for the compromised system to this string. To\r\ngenerate this unique identifier, the Trojan starts by obtaining the system’s ProductId from the registry, specifically\r\nat SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductId. If it cannot find this registry key, it will use\r\nthe hardcoded value 00000-00000-00000-00000. It then obtains the username and concatenates an underscore\r\nfollowed by the product id string. The Trojan takes the MD5 hash of this string and uses it as the basis for the\r\nunique identifier for the compromised system. It then appends the hardcoded -0-2D-2D string to finish the\r\nconstruction of the subdomain used to beacon the C2 server. Figure 2 shows the structure of the domains that\r\nALMA communicator will send to the C2 server to receive data.\r\nFigure 2 Domain used by ALMA communicator to receive data from the C2 server\r\nTo provide a better explanation of the unique identifier generated by ALMA communication, let’s consider a test\r\nsystem with the username and product id create the string Administrator_00000-00000-00000-00000, which\r\nresults in an MD5 hash of 35ead98470edf86a1c5a1c5fb2f14e02. The Trojan will generate the unique identifier\r\nstring 3d7f11b4 by taking the first, fifth, ninth, thirteenth, seventeenth, twenty first, twenty fifth and twenty ninth\r\ncharacters from the MD5 hash and concatenating them together, as seen in Figure 3.\r\nFigure 3 How ALMA Communicator generates the unique identifier for the compromised system\r\nThe C2 server will reply to the beacon DNS requests with IPv4 addresses within A records. The Trojan will parse\r\nthese requests for two specific IP addresses, one to mark the beginning and one to mark the end of the\r\ntransmission of data from the C2 to the Trojan. The two specific IP addresses to mark the start and end of the data\r\nare:\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/\r\nPage 3 of 6\n\nStart - 36.37.94.33 ($%^!)\r\nEnd - 33.33.94.94 (!!^^)\r\nThe C2 will respond to DNS queries between these two responses with IP addresses that the Trojan will treat as\r\nbinary data. During our analysis, we observed the following data being sent from the C2 server to our analysis\r\nsystem, with $%^! and !!^^ representing the start and stop markers for the data:\r\n$%^!_DnsInit.bat@echo off \u0026 chcp 65001\\r\\necho\r\n%userdomain%\\\\%username% 2\u003e\u00261 \u0026 echo %computername% 2\u003e\u00261 \u0026 echo\r\n________________________________Task__________________________________\r\n\u0026 schtasks /query /FO List /TN \"Google_{50726F6A656374-\r\n414C4D41-48747470}\" /V | findstr /b /n /c:\"Repeat: Every:\" 2\u003e\u00261\r\n\u0026 schtasks /query /FO List /TN \"Micro_{50726F6A656374-\r\n414C4D41-446E73-2}\" /V | findstr /b /n /c:\"Repeat: Every:\" 2\u003e\u00261 \u0026 echo\r\n______________________________________________________________________   !!^^\r\nBased on the data sent back from the C2, the Trojan will create a file named _DnsInit.bat with commands seen in\r\nthe data. The Trojan stores the batch file in the Download folder. The Trojan will then enumerate this folder and\r\ncreate a cmd.exe process with the path to the batch script as a command line argument. The Trojan will add to the\r\ncommand line argument the string \" \u003e \" followed by the batch script's filename with the .txt.Prc file extension to\r\nwrite the output of the command to a text file in the Upload folder. Before running the process, the following\r\nstring to the end command line argument to delete the batch script upon execution:\r\n\\r\\nDEL /f /q \\\"%~0\\\"|exit\r\nThe Trojan will then attempt to send the newly created file in the Upload folder that contains the result of running\r\nthe command. The DNS requests used to send this data has four fields that are split up using a hyphen, which are:\r\n1. Random four-digit number followed by static \"ID\" string and the 10 character unique system identifier\r\n2. Number of DNS queries needed to send entire data stream\r\n3. Maximum of 20 characters for 10 hexadecimal bytes of data to transmit\r\n4. String of characters for hexadecimal bytes for filename transmitted\r\nTo better visualize the structure of a DNS query used to send data, the following is shows the domain name that\r\nthe Trojan will build to send data to its C2 server:\r\n[random 4 digits]ID[unique identifier]-[number of DNS queries needed]-[string of hexadecimal bytes for sent\r\ndata]-[string of hexadecimal bytes for filename being sent].prosalar[.]com\r\nFor example, figure 4 is the first DNS query issued after our testing system ran the _DnsInit.bat script provided by\r\nthe C2 server mentioned above. As you can see, each DNS request can only send 10 bytes of data at a time,\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/\r\nPage 4 of 6\n\nrequiring 29 outbound requests to transmit the 289 bytes of output that was generated by the batch script.\r\nFigure 4 Subdomain that ALMA Communicator attempts to resolve to transmit data to its C2 server\r\nAs you can surmise, ALMA Communicator’s C2 channel is rather limited when it comes to data transfer. If an\r\nactor wished to use ALMA communicator to exfiltrate large files, it would result in a very large number of\r\noutbound DNS requests, as each outbound request can only send 10 bytes at a time. Even more limiting is the data\r\ntransmission from the C2 server to the Trojan, which can only send 4 bytes per DNS request, as each IPv4 address\r\nis treated as data. We believe this is the reason why the Clayslide delivery document saved the Mimikatz tool to\r\nthe system instead of having the actor download the tool to the system after a successful compromise. Based on\r\nthe 4-byte per DNS request limitation, the ALMA Communicator would generate 189,568 DNS requests (not\r\nincluding the start and stop requests) to transmit the 758,272 byte Mimikatz tool to the system, which may be\r\ndetected by security systems or personnel.\r\n  Conclusion\r\nThe OilRig threat group continues to use their Clayslide delivery document in their attack campaigns. The current\r\nvariant of Clayslide also suggests that this group continues to develop these delivery documents with new\r\ninstallation techniques to evade detection. This threat group also continues to add new payloads to their toolset as\r\nwell, with ALMA Communicator being the most recent addition. Lastly, it appears that OilRig still prefers using\r\nDNS tunneling for its C2 channel of choice, as ALMA Communicator, Helminth and ISMAgent all use this\r\ntechnique for C2 communications.\r\nPalo Alto Networks customers are protected by the following:\r\nWildFire identifies ClaySlide delivery documents and ALMA Communicator samples as malicious\r\nTraps blocks the ALMA Communicator Trojan via Local Analysis and blocks the Clayslide delivery\r\ndocument based on “Suspicious macro detected”\r\nAutoFocus customers can track these tools using the following tags:\r\nClayslide\r\nALMACommunicator\r\nMimikatz\r\n \r\nIndicators of Compromise\r\nf37b1bbf5a07759f10e0298b861b354cee13f325bc76fbddfaacd1ea7505e111 (Clayslide)\r\n2fc7810a316863a5a5076bf3078ac6fad246bc8773a5fb835e0993609e5bb62e (ALMA Communicator)\r\n2d6f06d8ee0da16d2335f26eb18cd1f620c4db3e880efa6a5999eff53b12415c (Mimikatz)\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/\r\nPage 5 of 6\n\nprosalar[.]com\r\n \r\nSource: https://unit42.paloaltonetworks.com/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/" ], "report_names": [ "unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan" ], "threat_actors": [ { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434864, "ts_updated_at": 1775826739, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5c8c8b4b2f1d685ebecd7d5010c83c8e43e3951f.pdf", "text": "https://archive.orkl.eu/5c8c8b4b2f1d685ebecd7d5010c83c8e43e3951f.txt", "img": "https://archive.orkl.eu/5c8c8b4b2f1d685ebecd7d5010c83c8e43e3951f.jpg" } }