{ "id": "b92e09cd-fedd-411e-9952-ebb9d91c08ca", "created_at": "2026-04-06T00:18:24.378409Z", "updated_at": "2026-04-10T03:37:37.078673Z", "deleted_at": null, "sha1_hash": "71c864e9b9fe3ecf65188a8d41e5fed057873005", "title": "OilRig’s persistent attacks using cloud service-powered downloaders", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 617810, "plain_text": "OilRig’s persistent attacks using cloud service-powered downloaders\r\nBy Zuzana HromcováAdam Burgher\r\nArchived: 2026-04-05 18:44:40 UTC\r\nUPDATE (June 5th, 2025): Since publishing this blogpost, we have updated our tracking to better reflect the full\r\nrange and complexity of the malicious activities carried out by the OilRig APT group. As a result, we are now\r\ntracking OilRig as a parent group with several subgroups. The activities described in this blogpost fall under the\r\nOilRig subgroup named Lyceum.\r\nLyceum, also known as HEXANE or Storm-0133, is an advanced threat group that focuses on targeting various\r\nIsraeli organizations, including governmental and local governmental entities and organizations in healthcare.\r\nMajor tools we attribute to Lyceum include DanBot, the Shark, Milan, and Marlin backdoors, Solar and Mango,\r\nOilForceGTX, and a variety of downloaders using legitimate cloud services for C\u0026C communication.\r\nESET researchers analyzed a growing series of OilRig downloaders that the group has used in several campaigns throughout\r\n2022, to maintain access to target organizations of special interest – all located in Israel. These lightweight downloaders,\r\nwhich we named SampleCheck5000 (SC5k v1-v3), OilCheck, ODAgent, and OilBooster, are notable for using one of\r\nseveral legitimate cloud service APIs for C\u0026C communication and data exfiltration: the Microsoft Graph OneDrive or\r\nOutlook APIs, and the Microsoft Office Exchange Web Services (EWS) API.\r\nIn all cases, the downloaders use a shared (email or cloud storage) OilRig-operated account to exchange messages with the\r\nOilRig operators; the same account is typically shared by multiple victims. The downloaders access this account to\r\ndownload commands and additional payloads staged by the operators, and to upload command output and staged files.\r\nWe discovered the earliest of the series, SC5k (v1) downloader, in November 2021, when it was used in OilRig’s Outer\r\nSpace campaign, documented in our recent blogpost. In the current blogpost, we focus on all of the SC5k successors that\r\nOilRig developed throughout 2022, with a new variation introduced every few months; we will also take a closer look at the\r\nmechanisms employed by these downloaders. We also compare these downloaders to other OilRig backdoors that use email-based C\u0026C protocols, and that were reported earlier this year by Trend Micro (MrPerfectionManager) and Symantec\r\n(PowerExchange).\r\nFinally, this blogpost also expands on our LABScon 2023 presentation, where we drilled down into how OilRig keeps\r\naccess to selected Israeli organizations: all of the downloaders studied in this blogpost were deployed in networks that were\r\npreviously affected by multiple OilRig tools, which underlines the fact that OilRig is persistent in targeting the same\r\norganizations, and determined to keep its foothold in compromised networks.\r\nKey points of this blogpost:\r\nOilRig actively developed and used a series of downloaders with a similar logic throughout 2022: three\r\nnew downloaders – ODAgent, OilCheck, OilBooster – and newer versions of the SC5k downloader.\r\nThe downloaders use various legitimate cloud service APIs for C\u0026C communication and data exfiltration:\r\nMicrosoft Graph OneDrive API, Microsoft Graph Outlook API, and Microsoft Office EWS API.\r\nTargets, all in Israel, included an organization in the healthcare sector, a manufacturing company, a local\r\ngovernmental organization, and other organizations.\r\nAll targets were previously affected by multiple OilRig campaigns.\r\nAttribution\r\nOilRig, also known as APT34, Lyceum, Crambus, or Siamesekitten, is a cyberespionage group that has been active since at\r\nleast 2014 and is commonly believed to be based in Iran. The group targets Middle Eastern governments and a variety of\r\nbusiness verticals, including chemical, energy, financial, and telecommunications.\r\nhttps://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/\r\nPage 1 of 19\n\nOilRig carried out the DNSpionage campaign in 2018 and 2019, which targeted victims in Lebanon and the United Arab\r\nEmirates. In 2019 and 2020, OilRig continued its attacks with the HardPass campaign, which used LinkedIn to target Middle\r\nEastern victims in the energy and government sectors. In 2021, OilRig updated its DanBot backdoor and began deploying\r\nthe Shark, Milan, and Marlin backdoors, as mentioned in the T3 2021 issue of the ESET Threat Report. In 2022 and 2023,\r\nthe group carried out several attacks against local government entities and healthcare organizations in Israel, using its new\r\nbackdoors Solar and Mango. In 2023, OilRig targeted organizations in the Middle East with the PowerExchange and\r\nMrPerfectionManager backdoors, and related tools to harvest internal mailbox account credentials and then to leverage these\r\naccounts for exfiltration.\r\nWe attribute SC5k (v1-v3), ODAgent, OilCheck, and OilBooster downloaders to OilRig with a high level of confidence,\r\nbased on these indicators:\r\nTargets:\r\nThese downloaders were deployed exclusively against Israeli organizations, which aligns with typical OilRig\r\ntargeting.\r\nThe observed verticals of the victims also align with OilRig’s interests – for example, we have seen OilRig\r\npreviously targeting the Israeli healthcare sector, as well as the local government sector in Israel.\r\nCode similarities:\r\nThe SC5k v2 and v3 downloaders evolved naturally from the initial version, which was previously used in an\r\nOilRig Outer Space campaign. ODAgent, OilCheck and OilBooster share similar logic, and all use various\r\ncloud service providers for their C\u0026C communications, as do SC5k, Marlin, PowerExchange, and\r\nMrPerfectionManager.\r\nWhile not unique to OilRig, these downloaders have a low level of sophistication and are often unnecessarily\r\nnoisy on the system, which is a practice we previously observed in its Out to Sea campaign.\r\nOverview\r\nIn February 2022, we detected a new OilRig downloader, which we named ODAgent based on its filename: ODAgent.exe.\r\nODAgent is a C#/.NET downloader that, similar to OilRig’s Marlin backdoor, uses the Microsoft OneDrive API for C\u0026C\r\ncommunications. Unlike Marlin, which supports a comprehensive list of backdoor commands, ODAgent’s narrow\r\ncapabilities are limited to downloading and executing payloads, and to exfiltrating staged files.\r\nODAgent was detected in the network of a manufacturing company in Israel – interestingly, the same organization was\r\npreviously affected by OilRig’s SC5k downloader, and later by another new downloader, OilCheck, between April and June\r\n2022. SC5k and OilCheck have similar capabilities to ODAgent, but use cloud-based email services for their C\u0026C\r\ncommunications.\r\nThroughout 2022, we observed the same pattern being repeated on multiple occasions, with new downloaders being\r\ndeployed in the networks of previous OilRig targets: for example, between June and August 2022, we detected the\r\nOilBooster, SC5k v1, and SC5k v2 downloaders and the Shark backdoor, all in the network of a local governmental\r\norganization in Israel. Later we detected yet another SC5k version (v3), in the network of an Israeli healthcare organization,\r\nalso a previous OilRig victim.\r\nSC5k is a C#/.NET application whose purpose is to download and execute additional OilRig tools using the Office\r\nExchange Web Services (EWS) API. The new versions introduced changes to make retrieval and analysis of the malicious\r\npayloads harder for analysts (SC5k v2), and new exfiltration functionality (SC5k v3).\r\nAll the downloaders, summarized in Figure 1, share a similar logic but have different implementations and show growing\r\ncomplexity over time, alternating C#/.NET binaries with C/C++ applications, varying the cloud service providers misused\r\nfor the C\u0026C communication, and other specifics.\r\nhttps://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/\r\nPage 2 of 19\n\nFigure 1. Timeline of OilRig’s downloaders\r\nOilRig has only used these downloaders against a limited number of targets, all located in Israel and, according to ESET\r\ntelemetry, all of them were persistently targeted months earlier by other OilRig tools. As it is common for organizations to\r\naccess Office 365 resources, OilRig’s cloud service-powered downloaders can thus blend more easily into the regular stream\r\nof network traffic – apparently also the reason why the attackers chose to deploy these downloaders to a small group of\r\nespecially interesting, repeatedly victimized targets.\r\nAs of this writing, the following (exclusively Israeli, as noted above) organizations were affected:\r\na manufacturing company (SC5k v1, ODAgent, and OilCheck),\r\na local governmental organization (SC5k v1, OilBooster, and SC5k v2),\r\na healthcare organization (SC5k v3), and\r\nother unidentified organizations in Israel (SC5k v1).\r\nUnfortunately, we don’t have information about the initial attack vector used to compromise the targets discussed in this\r\nblogpost – we can’t confirm whether the attackers have been able to successfully compromise the same organizations\r\nrepeatedly, or if they somehow managed to keep their foothold in the network in between deploying various tools.\r\nTechnical analysis\r\nIn this section, we provide a technical analysis of OilRig’s downloaders used throughout 2022, with the details of how they\r\nabuse various cloud storage services and cloud-based email providers for their C\u0026C communications. All of these\r\ndownloaders follow a similar logic:\r\nThey use a shared (email or cloud storage) account to exchange messages with the OilRig operators; the same\r\naccount can be used against multiple victims.\r\nThey access this account to download commands and additional payloads staged by the operators, and to upload\r\ncommand output and staged files.\r\nIn our analysis, we focus on these characteristics of the downloaders:\r\nSpecifics of the network communication protocol (e.g., Microsoft Graph API vs. Microsoft Office EWS API).\r\nThe mechanism used to distinguish between different attacker-staged and downloader-uploaded messages in the\r\nshared account, including the mechanism to distinguish between messages uploaded from various victims.\r\nSpecifics of how the downloaders process commands and payloads are downloaded from the shared account.\r\nTable 1 summarizes and compares how the individual downloaders implement these characteristics; we then analyze the first\r\n(SC5k) and the most complex (OilBooster) downloaders in detail as examples of tools abusing cloud-based email services\r\nand cloud storage services, respectively.\r\nTable 1. A summary of main characteristics of OilRig’s downloaders abusing legitimate cloud service providers\r\nhttps://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/\r\nPage 3 of 19\n\nMechanism SC5k v1 SC5k v2 SC5k v3 OilCheck OilBooster ODAgent\r\nC\u0026C\r\nprotocol\r\nA shared Microsoft Exchange email account, C\u0026C communication\r\nembedded in draft messages.\r\nA shared OneDrive account; files with v\r\nextensions to distinguish action types.\r\nNetwork\r\ncommunica‐\r\ntions\r\nMicrosoft Office EWS API\r\nMicrosoft\r\nGraph\r\n(Outlook)\r\nAPI\r\nMicrosoft Graph (OneDrive) API.\r\nVictim\r\nidentification\r\nmechanism\r\nThe sg\r\nextended\r\nproperty of\r\nthe email\r\ndraft is set\r\nto\r\n\u003cvictimID\u003e.\r\nAn\r\nunknown\r\nextended\r\nemail\r\nproperty is\r\nset to\r\n\u003cvictimID\u003e.\r\nFrom field has the\r\nusername portion of the\r\nemail address set to\r\n\u003cvictimID\u003e.\r\nThe zigorat\r\nextended\r\nproperty of\r\nthe email\r\ndraft is set\r\nto\r\n\u003cvictimID\u003e.\r\nAll communication for, and from, the s\r\nvictim is uploaded to a victim-specific\r\nsubdirectory named \u003cvictimID\u003e.\r\nKeep-alive\r\nmessage\r\nThe type\r\nextended\r\nproperty of\r\nthe email\r\ndraft is set\r\nto 3; the\r\ncurrent\r\nGMT time\r\nis in the\r\nemail body.\r\nAn\r\nunknown\r\nextended\r\nproperty of\r\nthe email\r\ndraft is set\r\nto 0; the\r\nemail body\r\nis empty.\r\nThe From field of the\r\nemail draft is set to\r\n\u003cvictimID\u003e@yahoo.com;\r\nthe current GMT time is in\r\nthe email body.\r\nThe type\r\nextended\r\nproperty of\r\nthe email\r\ndraft is set\r\nto 3; the\r\ncurrent\r\nGMT time\r\nis in the\r\nemail body.\r\nA file named\r\n\u003cvictimID\u003e/setting.ini.\r\nA file named\r\n\u003cvictimID\u003e/\r\nFile for\r\ndownload\r\nThe type\r\nextended\r\nproperty of\r\nthe email\r\ndraft is set\r\nto 1; the\r\nattached file\r\nhas any\r\nextension\r\nother than\r\n.json.\r\nAn\r\nunknown\r\nextended\r\nproperty of\r\nthe email\r\ndraft is set\r\nto 1; the\r\nattached file\r\nhas any\r\nextension\r\nother than\r\n.bin.\r\nThe From field of the\r\nemail draft is set to\r\n\u003cvictimID\u003e@outlook.com,\r\nwith the message category\r\nset to file.\r\nThe type\r\nextended\r\nproperty of\r\nthe email\r\ndraft is set\r\nto 1; the\r\nattached file\r\nhas a .biz\r\nextension.\r\nA file with a .docx\r\nextension in the\r\n\u003cvictimID\u003e/items\r\nsubdirectory.\r\nA non-JSON\r\nthe \u003cvictimI\r\nsubdirectory\r\nExfiltrated\r\nfile\r\nThe type\r\nextended\r\nproperty of\r\nthe email\r\ndraft is set\r\nAn\r\nunknown\r\nextended\r\nproperty of\r\nthe email\r\nThe From field of the\r\nemail draft is set to\r\n\u003cvictimID\u003e@aol.com,\r\nwith the file category.\r\nThe type\r\nextended\r\nproperty of\r\nthe email\r\ndraft is set\r\nA file with a .xlsx\r\nextension in the\r\n\u003cvictimID\u003e/items\r\nsubdirectory.\r\nA non-JSON\r\nthe \u003cvictimI\r\nsubdirectory\r\nhttps://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/\r\nPage 4 of 19\n\nMechanism SC5k v1 SC5k v2 SC5k v3 OilCheck OilBooster ODAgent\r\nto 2; the\r\nattached file\r\nhas the\r\n.tmp1\r\nextension.\r\ndraft is set\r\nto 2; the\r\nattached file\r\nhas a .tmp\r\nextension.\r\nto 2; the\r\nattached file\r\nhas a .biz\r\nextension.\r\nCommand\r\nfor execution\r\nThe type\r\nextended\r\nproperty of\r\nthe email\r\ndraft is set\r\nto 1; the\r\nattached file\r\nhas a .json\r\nextension.\r\nAn\r\nunknown\r\nextended\r\nproperty of\r\nthe email\r\ndraft is set\r\nto 1; the\r\nattached file\r\nhas a .bin\r\nextension.\r\nThe From field of the\r\nemail draft is set to\r\n\u003cvictimID\u003e@outlook.com,\r\nwithout the file category.\r\nThe type\r\nextended\r\nproperty of\r\nthe email\r\ndraft is set\r\nto 1; the\r\nattached file\r\nhas any\r\nextension\r\nother than\r\n.biz.\r\nA file with a .doc\r\nextension in the\r\n\u003cvictimID\u003e/items\r\nsubdirectory.\r\nA JSON file\r\n\u003cvictimID\u003e/\r\nsubdirectory\r\nCommand\r\noutput\r\nThe type\r\nextended\r\nproperty of\r\nthe email\r\ndraft is set\r\nto 2; the\r\nattached file\r\nhas a .json\r\nextension.\r\nAn\r\nunknown\r\nextended\r\nproperty of\r\nthe email\r\ndraft is set\r\nto 2; the\r\nattached file\r\nhas a .bin\r\nextension.\r\nThe From field of the\r\nemail draft is set to\r\n\u003cvictimID\u003e@aol.com,\r\nwith the text category.\r\nThe type\r\nextended\r\nproperty of\r\nthe email\r\ndraft is set\r\nto 2.\r\nA file with a .xls\r\nextension in the\r\n\u003cvictimID\u003e/items\r\nsubdirectory.\r\nA JSON file\r\n\u003cvictimID\u003e/\r\nsubdirectory\r\nSC5k downloader\r\nThe SampleCheck5000 (or SC5k) downloader is a C#/.NET application, and the first in a series of OilRig’s lightweight\r\ndownloaders that use legitimate cloud services for their C\u0026C communication. We briefly documented the first variant in our\r\nrecent blogpost, and have since discovered two newer variants.\r\nAll SC5k variants use the Microsoft Office EWS API to interact with a shared Exchange mail account, as a way to download\r\nadditional payloads and commands, and to upload data. Email drafts and their attachments are the primary vehicle for the\r\nC\u0026C traffic in all the versions of this downloader, but the later versions increase the complexity of this C\u0026C protocol (SC5k\r\nv3) and add detection evasion capabilities (SC5k v2). This section focuses on highlighting these differences.\r\nExchange account used for C\u0026C communication\r\nAt runtime, SC5k connects to a remote Exchange server via the EWS API to obtain additional payloads and commands to\r\nexecute from an email account shared with the attacker (and usually other victims). By default, a Microsoft Office 365\r\nOutlook account is accessed via the https://outlook.office365.com/EWS/Exchange.asmx URL using hardcoded credentials,\r\nbut some SC5k versions also have the capability to connect to other remote Exchange servers when a configuration file is\r\npresent with a hardcoded name (setting.key, set.idl) and the corresponding credentials inside.\r\nhttps://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/\r\nPage 5 of 19\n\nWe have seen the following email addresses used by SC5k versions for C\u0026C communication, the first of which gave the\r\ndownloader its name:\r\nsamplecheck5000@outlook.com\r\nFrancesLPierce@outlook.com\r\nSandraRCharles@outlook.com\r\nIn SC5k v2, the default Microsoft Exchange URL, email address, and password are not included in the main module –\r\ninstead, the downloader’s code has been split into multiple modules. We have detected only variations of the main\r\napplication, which logs into a remote Exchange server, iterates through emails in the Drafts directory, and extracts additional\r\npayloads from their attachments. However, this application depends on two external classes that were not present in the\r\ndetected samples and are probably implemented in the missing module(s):\r\nThe class init should provide an interface to obtain the email address, username, and password required to log into\r\nthe remote Exchange account, and other configuration values from the other module.\r\nThe class structure should implement functions used for encryption, compression, executing downloaded payloads,\r\nand other helper functions.\r\nThese changes were likely introduced to make retrieval and analysis of the malicious payloads harder for analysts, as the\r\ntwo missing classes are crucial for identifying the Exchange account used for malware distribution.\r\nC\u0026C and exfiltration protocol\r\nIn all versions, the SC5k downloader repeatedly logs into a remote Exchange server using the ExchangeService .NET class\r\nin the Microsoft.Exchange.WebServices.Data namespace to interact with the EWS API. Once connected, SC5k reads email\r\nmessages with attachments in the Drafts directory to extract attacker commands and additional payloads. Conversely, in\r\neach connection, SC5k exfiltrates files from a local staging directory by creating new email drafts in the same email\r\naccount. The path to the staging directory varies across samples.\r\nOf interest is the way both the operators and various instances of this downloader can distinguish between the different types\r\nof drafts in the shared email account. For one, each email draft has a \u003cvictimID\u003e incorporated, which allows the same\r\nExchange account to be used for multiple OilRig victims:\r\nFor v1 and v2, the downloader transmits the \u003cvictimID\u003e as a custom attribute of the email draft via the\r\nSetExtendedProperty method.\r\nFor v3, the downloader incorporates the \u003cvictimID\u003e into the From field of the email draft.\r\nThe \u003cvictimID\u003e is typically generated using the compromised system’s information, such as the system volume ID or the\r\ncomputer name, as shown in Figure 2.\r\nFigure 2. SC5k v3 calculates a \u003cvictimID\u003e from the compromised computer’s name\r\nFurthermore, various email properties can be used to distinguish between messages created by the operators (commands,\r\nadditional payloads) and messages created by the malware instances (command outputs, exfiltrated files). SC5k v1 and v2\r\nuse file extensions (of the draft attachments) to make that distinction, while SC5k v3 uses the From and MailItem.Categories\r\nfields of the email draft to distinguish between various actions. At each point, the email drafts in the shared email account\r\ncan serve various purposes, as summarized in Table 2 and explained below. Note that the email addresses used in the From\r\nfield are not genuine; because SC5k never sends out any actual email messages, these attributes are only used to distinguish\r\nbetween different malicious actions.\r\nTable 2. Types of email messages used by SC5k v3 for C\u0026C communications\r\nhttps://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/\r\nPage 6 of 19\n\nFrom MailItem.Categories Created by Details\r\n\u003cvictimID\u003e@yahoo.com N/A\r\nSC5k v3\r\ninstance\r\nCreated to register the victim with the C\u0026C\r\nserver, and renewed periodically to indicate that\r\nthe malware is still active.\r\n\u003cvictimID\u003e@outlook.com file C\u0026C server\r\nAttached file is decrypted, decompressed, and\r\ndumped on the victim’s computer.\r\n\u003cvictimID\u003e@outlook.com Other than file C\u0026C server\r\nAttached command is decrypted,\r\ndecompressed, then passed as an argument to a\r\nfile already present on the compromised\r\nmachine, presumably a command interpreter.\r\n\u003cvictimID\u003e@aol.com file\r\nSC5k v3\r\ninstance\r\nCreated to exfiltrate a file from a staging\r\ndirectory.\r\n\u003cvictimID\u003e@aol.com text\r\nSC5k v3\r\ninstance\r\nCreated to send command output to the C\u0026C\r\nserver.\r\nMore specifically, SC5k v3 processes (and then deletes) those email messages from the shared Exchange account that have\r\nthe From field set to \u003cvictimID\u003e@outlook.com, and distinguishes between commands and additional payloads by the\r\nmessage category (MailItem.Categories):\r\nFor payloads, the attached file is XOR decrypted using the hardcoded key \u00265z, then gzip decompressed and dumped\r\nin the working directory.\r\nFor shell commands, the draft attachment is base64 decoded, XOR decrypted, and then executed locally using\r\ncmd.exe or, in the case of SC5k v3, using a custom command interpreter located under the name\r\n\u003cbaseDirectory\u003e\\*Ext.dll. This file is then loaded via Assembly.LoadFrom, and its extend method invoked with the\r\ncommand passed as an argument.\r\nTo communicate with the attackers, SC5k v3 creates draft messages with a different From field: \u003cvictimID\u003e@aol.com.\r\nAttached to these messages are outputs of previously received commands, or contents of the local staging directory. Files are\r\nalways gzip compressed and XOR encrypted before being uploaded to the shared mailbox, while shell commands and\r\ncommand outputs are XOR encrypted and base64 encoded.\r\nFinally, SC5k v3 repeatedly creates a new draft on the shared Exchange account with the From field set to\r\n\u003cvictimID\u003e@yahoo.com, to indicate to the attackers that this downloader instance is still active. This keep-alive message,\r\nwhose construction is shown in Figure 3, has no attachment and is renewed with each connection to the remote Exchange\r\nserver.\r\nFigure 3. Keep-alive functionality implemented by the SC5k v3 downloader\r\nOther OilRig tools using email-based C\u0026C protocol\r\nhttps://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/\r\nPage 7 of 19\n\nBesides SC5k, other notable OilRig tools have been discovered subsequently (in 2022 and 2023) that abuse APIs of\r\nlegitimate cloud-based email services for exfiltration and both directions of their C\u0026C communication.\r\nOilCheck, a C#/.NET downloader discovered in April 2022, also uses draft messages created in a shared email account for\r\nboth directions of the C\u0026C communication. Unlike SC5k, OilCheck uses the REST-based Microsoft Graph API to access a\r\nshared Microsoft Office 365 Outlook email account, not the SOAP-based Microsoft Office EWS API. While SC5k uses the\r\nbuilt-in ExchangeService .NET class to create the API requests transparently, OilCheck builds the API requests manually.\r\nThe main characteristics of OilCheck are summarized in Table 1 above.\r\nEarlier in 2023, two other OilRig backdoors were publicly documented: MrPerfectionManager (Trend Micro, February\r\n2023) and PowerExchange (Symantec, October 2023), both using email-based C\u0026C protocols to exfiltrate data. A notable\r\ndifference between these tools and OilRig’s downloaders studied in this blogpost is that the former use the victimized\r\norganization’s Exchange server to transmit email messages from and to the attacker’s email account. In contrast: with SC5k\r\nand OilCheck, both the malware and the operator accessed the same Exchange account and communicated by creating email\r\ndrafts, never sending an actual message.\r\nIn any case, the new findings confirm the trend of OilRig shifting away from the previously used HTTP/DNS-based\r\nprotocols to using legitimate cloud service providers as a way to hide its malicious communication and to mask the group’s\r\nnetwork infrastructure, while still experimenting with various flavors of such alternative protocols.\r\nOilBooster downloader\r\nOilBooster is a 64-bit portable executable (PE) written in Microsoft Visual C/C++ with statically linked OpenSSL and Boost\r\nlibraries (hence the name). Like OilCheck, it uses the Microsoft Graph API to connect to a Microsoft Office 365 account.\r\nUnlike OilCheck, it uses this API to interact with a OneDrive (not Outlook) account controlled by the attackers for C\u0026C\r\ncommunication and exfiltration. OilBooster can download files from the remote server, execute files and shell commands,\r\nand exfiltrate the results.\r\nOverview\r\nUpon execution, OilBooster hides its console window (via the ShowWindow API) and verifies that it was executed with a\r\ncommand line argument; otherwise it terminates immediately.\r\nOilBooster then builds a \u003cvictimID\u003e by combining the compromised computer’s hostname and username: \u003chostname\u003e-\r\n\u003cusername\u003e. This identifier is later used in the C\u0026C communication: OilBooster creates a specific subdirectory on the\r\nshared OneDrive account for each victim, which is then used to store backdoor commands and additional payloads\r\n(uploaded by the operators), command results, and exfiltrated data (uploaded by the malware). This way, the same OneDrive\r\naccount can be shared by multiple victims.\r\nFigure 4 shows the structure of the shared OneDrive account and the local working directory, and summarizes the C\u0026C\r\nprotocol.\r\nFigure 4. Overview of OilBooster’s C\u0026C communication protocol using a shared OneDrive account\r\nhttps://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/\r\nPage 8 of 19\n\nAs shown in Figure 4, the OilRig operator uploads backdoor commands and additional payloads to the victim-specific\r\ndirectory on OneDrive, as files with the .doc and .docx extensions, respectively. On the other end of the C\u0026C protocol,\r\nOilBooster uploads command results and exfiltrated data as files with the .xls and .xlsx extensions, respectively. Note that\r\nthese are not genuine Microsoft Office files, but rather JSON files with XOR-encrypted and base64-encoded values.\r\nFigure 5 shows OilBooster spawning instances of two threads in an indefinite loop, sleeping for 153,123 milliseconds after\r\neach iteration:\r\nFigure 5. OilBooster’s main function\r\nBoth threads interact with the shared OneDrive account:\r\n1. A downloader thread handles C\u0026C communication and executes downloaded payloads.\r\n2. An exfiltration thread exfiltrates data from the local staging directory.\r\nThe downloader thread connects to the attacker-controlled OneDrive account and iterates through all files with the .doc and\r\n.docx extensions, which are then downloaded, decrypted, and parsed in order to extract and execute additional payloads on\r\nthe compromised host. A local subdirectory named items in the current working directory (where OilBooster is deployed) is\r\nused to store the downloaded files. As shown in Figure 6, each connection attempt is handled in a separate thread instance,\r\nlaunched once every 53,123 milliseconds.\r\nThe exfiltration thread iterates over another local subdirectory, named tempFiles, and exfiltrates its contents to the shared\r\nOneDrive account, which are uploaded there as individual files with the .xlsx extension. The staging directory is cleared this\r\nway once every 43,123 milliseconds in a separate thread instance, as also seen in Figure 6.\r\nhttps://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/\r\nPage 9 of 19\n\nFigure 6. Each iteration of the downloader and exfiltration loops is spawned in a new thread\r\nNetwork communication\r\nFor C\u0026C communication and exfiltration, OilBooster uses the Microsoft Graph API to access the shared OneDrive account,\r\nusing a variety of HTTP GET, POST, PUT, and DELETE requests to the graph.microsoft.com host over the standard 443\r\nport. For brevity, we will also refer to these requests as OneDrive API requests. The encrypted communication is facilitated\r\nby the statically linked OpenSSL library, which handles the SSL communication.\r\nTo authenticate with the OneDrive account, OilBooster first obtains the OAuth2 access token from the Microsoft identity\r\nplatform (the authorization server) by sending a POST request with the following body over port 443 to\r\nlogin.microsoftonline.com/common/oauth2/v2.0/token, using hardcoded credentials:\r\nclient_id=860b23a7-d484-481d-9fea-d3e6e129e249\r\n\u0026redirect_uri=https://login.live.com/oauth20_desktop.srf\r\n\u0026client_secret=\u003credacted\u003e\r\n\u0026refresh_token=\u003credacted\u003e\r\n\u0026grant_type=refresh_token\r\nOilBooster obtains a new access token this way, which will be used in the Authorization header of the subsequent OneDrive\r\nAPI requests, along with a new refresh token. OilBooster also has a backup channel to request a new refresh token from its\r\nC\u0026C server after 10 consecutive unsuccessful connections to the OneDrive server. As shown in Figure 7, the new token can\r\nbe acquired by sending a simple HTTP GET request on port 80 to host1[.]com/rt.ovf (a legitimate, likely compromised\r\nwebsite), which should be followed by the new refresh token in cleartext in the HTTP response.\r\nFigure 7. OilBooster can request a new refresh token from its fallback C\u0026C server after 10 unsuccessful\r\nconnection attempts to the abused OneDrive account\r\nThe various network connections made by OilBooster are summarized in Figure 8.\r\nhttps://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/\r\nPage 10 of 19\n\nFigure 8. Overview of OilBooster’s network communications\r\nDownloader loop\r\nIn the downloader loop, OilBooster repeatedly connects to the shared OneDrive account to obtain a list of files with the\r\n.docx and .doc extensions in the victim-specific subdirectory named \u003cvictimID\u003e/items/ by sending an HTTP GET request\r\nover port 443 to this URL:\r\ngraph.microsoft.com/v1.0/me/drive/root:/\u003cvictimID\u003e/items:/children?\r\n$filter=endsWith(name,'.doc')%20or%20endsWith(name,'.docx')\u0026$select=id,name,file\r\nIf the connection is not successful (the HTTP_STATUS_DENIED response status) after 10 attempts, OilBooster connects to\r\nits fallback C\u0026C server, host1[.]com/rt.ovf, to acquire a new refresh token, as discussed earlier.\r\nAlternatively, if the specified directory does not yet exist (HTTP_STATUS_NOT_FOUND), OilBooster first registers the\r\nvictim on the shared OneDrive account by sending an HTTP POST request over port 443 to this URL:\r\ngraph.microsoft.com/v1.0/me/drive/items/root:/\u003cvictimID\u003e:/children with the JSON string {\"name\": \"items\",\"folder\":{}} as\r\nthe request body, as shown in Figure 9. This request creates the whole directory structure \u003cvictimID\u003e/items at the same\r\ntime, which will later be used by the attackers to store commands and additional payloads disguised as .doc and .docx files.\r\nhttps://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/\r\nPage 11 of 19\n\nFigure 9. On first connection, OilBooster creates a victim-specific directory on the shared OneDrive account\r\nOn subsequent connections (with HTTP_STATUS_OK), OilBooster processes these files to extract and execute payloads.\r\nOilBooster first downloads each file from the OneDrive account and deletes it from OneDrive after processing the file.\r\nFinally, after going through all the .doc and .docx files downloaded from the OneDrive subdirectory, OilBooster records the\r\nlast connection timestamp (the current GMT time) by creating a new file named setting.ini in the victim’s OneDrive\r\nsubdirectory, via an HTTP PUT request on port 443 made to this URL:\r\ngraph.microsoft.com/v1.0/me/drive/root:/\u003cvictimID\u003e/setting.ini:/content.\r\nProcessing .doc files\r\nFiles with the .doc extension downloaded from the shared OneDrive account are in fact JSON files with encrypted\r\ncommands to be executed on the compromised host. Once a \u003cfilename\u003e.doc is downloaded, OilBooster parses the values\r\nnamed s (part of the decryption key) and c (encrypted command) from the file content. It first base64 decodes, then XOR\r\ndecrypts the c value, using a key that is created by appending the last two characters of the s value to the last two characters\r\nof \u003cfilename\u003e.\r\nAfter decryption, OilBooster executes the command line in a new thread using the CreateProcessW API, and reads the\r\ncommand result via an unnamed pipe connected to the process. OilBooster then uploads the command result to the shared\r\nOneDrive account as a new file named \u003cfilename\u003e.xls by sending an HTTP PUT request over port 443 to\r\ngraph.microsoft.com/v1.0/me/drive/root:/\u003cvictimID\u003e/items/\u003cfilename\u003e.xls:/content.\r\nProcessing .docx files\r\nFiles with the .docx extension downloaded from the shared OneDrive account are in fact compressed and encrypted files\r\nnamed \u003cfilename\u003e.\u003coriginal extension\u003e.docx that will be dropped and unpacked on the compromised system. OilBooster\r\nfirst downloads the encrypted file to the local directory named \u003ccurrentdir\u003e\\items, using the original full filename.\r\nIn the next step, it reads and decrypts the file content using an XOR cipher with .\u003coriginal extension\u003e as the decryption key,\r\nand drops it in the same directory into a file named \u003cfilename\u003e.\u003coriginal extension\u003e.doc, while the first one is deleted.\r\nFinally, OilBooster reads and gzip decompresses the decrypted file, drops the result in the same directory as a file named\r\n\u003cfilename\u003e.\u003coriginal extension\u003e, and deletes the other one.\r\nhttps://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/\r\nPage 12 of 19\n\nNote the unnecessary creation of several files in the process – this is typical for OilRig. We previously described the group’s\r\nnoisy operations on compromised hosts in its Out to Sea campaign.\r\nExfiltration loop\r\nIn the exfiltration thread, OilBooster loops over the contents of the local directory named \u003ccurrentdir\u003e\\tempFiles, and\r\nuploads the file contents to the victim’s folder on the shared OneDrive account. Each file is processed in this way:\r\nOilBooster gzip compresses the original file \u003cfilename\u003e.\u003coriginal extension\u003e and writes the result to a file named\r\n\u003cfilename\u003e.\u003coriginal extension\u003e.xlsx in the same directory.\r\nIt then encrypts the compressed file using an XOR cipher and .\u003coriginal extension\u003e as the key. If there is no file\r\nextension, 4cx is used as the default key.\r\nFinally, the encrypted file is uploaded to the OneDrive account, and the local file is deleted.\r\nODAgent downloader: OilBooster’s precursor\r\nODAgent is a C#/.NET application that uses the Microsoft Graph API to access an attacker-controlled OneDrive account for\r\nC\u0026C communication and exfiltration – in short, ODAgent is loosely a C#/.NET precursor of OilBooster. Similar to\r\nOilBooster, ODAgent repeatedly connects to the shared OneDrive account and lists the contents of the victim-specific folder\r\nto obtain additional payloads and backdoor commands.\r\nAs shown in Figure 10, ODAgent then parses the metadata for each remote file. Subsequently, it uses the value of the\r\nmimeType key associated with the file to distinguish between backdoor commands (formatted as JSON files) and encrypted\r\npayloads – this is unlike OilBooster, which uses file extensions for that distinction. After processing a file locally, ODAgent\r\ndeletes the original from the remote OneDrive directory via the OneDrive API.\r\nFigure 10. ODAgent’s code responsible for parsing JSON files obtained from the shared OneDrive account\r\nhttps://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/\r\nPage 13 of 19\n\nIf the downloaded file is a JSON file, ODAgent parses the a1 (command ID), a2 (encrypted backdoor command) and a3\r\n(secret) arguments. It first derives the session key by XORing the provided secret with the hardcoded value 15a49w@].\r\nThen, it base64 decodes and XOR decrypts the backdoor command using this session key. Table 3 lists all backdoor\r\ncommands supported by ODAgent.\r\nTable 3. Backdoor commands supported by ODAgent\r\nBackdoor command Description\r\nodt\u003e Returns the path to the current working directory.\r\ndly\u003e\u003cdelaytime\u003e Configures the number of seconds to wait after each connection to \u003cdelaytime\u003e.\r\n\u003ccommandline\u003e Executes the specified \u003ccommandline\u003e via the native API and returns the command output.\r\nOther (non-JSON) files downloaded from the shared OneDrive account are files and additional payloads, both encrypted.\r\nODAgent XOR decrypts these files with the hardcoded key 15a49w@], and drops them in the local \u003ccurrentdir\u003e\\o directory\r\nunder the same filename. If the original file has a .c extension, its content is also gzip decompressed (and the extension is\r\nthen dropped from the filename).\r\nAt the end of each connection, ODAgent uploads the contents of the local directory \u003ccurrentdir\u003e\\i to the \u003cvictimID\u003e/i\r\ndirectory on the shared OneDrive account, preserving the original filenames with the added .c extension.\r\nFigure 11. ODAgent’s exfiltration loop\r\nConclusion\r\nThroughout 2022, OilRig developed a series of new downloaders, all using a variety of legitimate cloud storage and cloud-based email services as their C\u0026C and exfiltration channels. These downloaders were deployed exclusively against targets\r\nin Israel – often against the same targets within a few months. As all of these targets were previously affected by other\r\nOilRig tools, we conclude that OilRig uses this class of lightweight but effective downloaders as its tool of choice to\r\nmaintain access to networks of interest.\r\nThese downloaders share similarities with MrPerfectionManager and PowerExchange backdoors, other recent additions to\r\nOilRig’s toolset that use email-based C\u0026C protocols – except that SC5k, OilBooster, ODAgent, and OilCheck use attacker-controlled cloud service accounts, rather than the victim’s internal infrastructure. All these activities confirm an ongoing\r\nswitch to legitimate cloud service providers for C\u0026C communication, as a way to hide the malicious communication and\r\nmask the group’s network infrastructure.\r\nOn par with the rest of OilRig’s toolset, these downloaders are not particularly sophisticated, and are, again, unnecessarily\r\nnoisy on the system. However, the continuous development and testing of new variants, the experimenting with various\r\ncloud services and different programming languages, and the dedication to re-compromise the same targets over and over\r\nagain, makes OilRig a group to watch out for.\r\nhttps://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/\r\nPage 14 of 19\n\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nIoCs\r\nFiles\r\nSHA-1 Filename Detection Description\r\n0F164894DC7D8256B66D\r\n0EBAA7AFEDCF5462F881\r\nCCLibrary.exe MSIL/OilRig.A OilRig downloader - SC5k v1.\r\n2236D4DCF68C65A822FF\r\n0A2AD48D4DF99761AD07\r\nacrotray.exe MSIL/OilRig.D OilRig downloader - SC5k v1.\r\n35E0E78EC35B68D3EE18\r\n05EECEEA352C5FE62EB6\r\nmscom.exe MSIL/OilRig.D OilRig downloader - SC5k v1.\r\n51B6EC5DE852025F6374\r\n0826B8EDF1C8D22F9261\r\nCCLibrary.exe MSIL/OilRig.A OilRig downloader - SC5k v1.\r\n6001A008A3D3A0C672E8\r\n0960387F4B10C0A7BD9B\r\nacrotray.exe MSIL/OilRig.D OilRig downloader - SC5k v1.\r\n7AD4DCDA1C65ACCC9EF1\r\nE168162DE7559D2FDF60\r\nAdobeCE.exe MSIL/OilRig.D OilRig downloader - SC5k v1.\r\nBA439D2FC3298675F197\r\nC8B17B79F34485271498\r\nAGSService.exe MSIL/OilRig.D OilRig downloader - SC5k v1.\r\nBE9B6ACA8A175DF61F2C\r\n75932E029F19789FD7E3\r\nCCXProcess.exe MSIL/OilRig.A OilRig downloader - SC5k v1.\r\nC04F874430C261AABD41\r\n3F27953D30303C382953\r\nAdobeCE.exe MSIL/OilRig.A OilRig downloader - SC5k v1.\r\nC225E0B256EDB9A2EA91\r\n9BACC62F29319DE6CB11\r\nmscom.exe MSIL/OilRig.A OilRig downloader - SC5k v1.\r\nE78830384FF14A58DF36\r\n303602BC9A2C0334A2A4\r\narmsvc.exe MSIL/OilRig.D OilRig downloader - SC5k v1.\r\nEA8C3E9F418DCF92412E\r\nB01FCDCDC81FDD591BF1\r\nnode.exe MSIL/OilRig.D OilRig downloader - SC5k v1.\r\n1B2FEDD5F2A37A015223\r\n1AE4099A13C8D4B73C9E\r\nconsoleapp.exe Win64/OilBooster.A\r\nOilRig downloader -\r\n OilBooster.\r\n3BF19AE7FB24FCE25096\r\n23E7E0D03B5A872456D4\r\nowa.service.exe MSIL/OilRig.D OilRig downloader - SC5k v2.\r\nAEF3140CD0EE6F49BFCC\r\n41F086B7051908B91BDD\r\nowa.service.exe MSIL/OilRig.D OilRig downloader - SC5k v2.\r\nA56622A6EF926568D0BD\r\nD56FEDBFF14BD218AD37\r\nowa.service.exe MSIL/OilRig.D OilRig downloader - SC5k v2.\r\nAAE958960657C52B848A\r\n7377B170886A34F4AE99\r\nLinkSync.exe MSIL/OilRig.F OilRig downloader - SC5k v3.\r\nhttps://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/\r\nPage 15 of 19\n\nSHA-1 Filename Detection Description\r\n8D84D32DF5768B0D4D2A\r\nB8B1327C43F17F182001\r\nAppLoader.exe MSIL/OilRig.M OilRig downloader - OilCheck.\r\nDDF0B7B509B240AAB6D4\r\nAB096284A21D9A3CB910\r\nCheckUpdate.exe MSIL/OilRig.M OilRig downloader - OilCheck.\r\n7E498B3366F54E936CB0\r\nAF767BFC3D1F92D80687\r\nODAgent.exe MSIL/OilRig.B OilRig downloader - ODAgent.\r\nA97F4B4519947785F662\r\n85B546E13E52661A6E6F\r\nN/A MSIL/OilRig.N\r\nHelp utility used by OilRig's\r\nOilCheck downloader - CmEx.\r\nNetwork\r\nIP Domain\r\nHosting\r\nprovider\r\nFirst\r\nseen\r\nDetails\r\n188.114.96[.]2 host1[.]com\r\nCloudflare,\r\nInc.\r\n2017-\r\n11-30\r\nA legitimate, likely compromised website misused by\r\nOilRig as a fallback C\u0026C server.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 14 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.001\r\nAcquire Infrastructure:\r\nDomains\r\nOilRig has registered a domain for use in C\u0026C\r\ncommunications.\r\nT1583.004\r\nAcquire Infrastructure:\r\nServer\r\nOilRig has acquired a server to be used as a backup\r\nchannel for the OilBooster downloader.\r\nT1583.006\r\nAcquire Infrastructure: Web\r\nServices\r\nOilRig has set up Microsoft Office 365 OneDrive\r\nand Outlook accounts, and possibly other Exchange\r\naccounts for use in C\u0026C communications.\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nOilRig has developed a variety of custom\r\ndownloaders for use in its operations: SC5k versions,\r\nOilCheck, ODAgent, and OilBooster.\r\nT1585.003\r\nEstablish Accounts: Cloud\r\nAccounts\r\nOilRig operators have created new OneDrive\r\naccounts for use in their C\u0026C communications.\r\nhttps://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/\r\nPage 16 of 19\n\nTactic ID Name Description\r\nT1585.002\r\nEstablish Accounts: Email\r\nAccounts\r\nOilRig operators have registered new Outlook, and\r\npossibly other, email addresses for use in their C\u0026C\r\ncommunications.\r\nT1608 Stage Capabilities\r\nOilRig operators have staged malicious components\r\nand backdoor commands in legitimate Microsoft\r\nOffice 365 OneDrive and Outlook, and other\r\nMicrosoft Exchange accounts.\r\nExecution\r\nT1059.003\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nSC5k v1 and v2 use cmd.exe to execute commands\r\non the compromised host.\r\nT1106 Native API\r\nOilBooster uses the CreateProcessW API functions\r\nfor execution.\r\nDefense\r\nEvasion T1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nOilRig’s downloaders use string stacking to\r\nobfuscate embedded strings, and the XOR cipher to\r\nencrypt backdoor commands and payloads.\r\nT1480 Execution Guardrails\r\nOilRig’s OilBooster requires an arbitrary command\r\nline argument to execute the malicious payload.\r\nT1564.003\r\nHide Artifacts: Hidden\r\nWindow\r\nUpon execution, OilBooster hides its console\r\nwindow.\r\nT1070.004\r\nIndicator Removal: File\r\nDeletion\r\nOilRig’s downloaders delete local files after a\r\nsuccessful exfiltration, and delete files or email\r\ndrafts from the remote cloud service account after\r\nthese have been processed on the compromised\r\nsystem.\r\nT1202\r\nIndirect Command\r\nExecution\r\nSC5k v3 and OilCheck use custom command\r\ninterpreters to execute files and commands on the\r\ncompromised system.\r\nT1036.005\r\nMasquerading: Match\r\nLegitimate Name or\r\nLocation\r\nOilBooster mimics legitimate paths.\r\nhttps://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/\r\nPage 17 of 19\n\nTactic ID Name Description\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nOilRig has used various methods to obfuscate strings\r\nand payloads embedded in its downloaders.\r\nDiscovery\r\nT1082\r\nSystem Information\r\nDiscovery\r\nOilRig’s downloaders obtain the compromised\r\ncomputer name.\r\nT1033\r\nSystem Owner/User\r\nDiscovery\r\nOilRig’s downloaders obtain the victim’s username.\r\nCollection\r\nT1560.003\r\nArchive Collected Data:\r\nArchive via Custom Method\r\nOilRig’s downloaders gzip compress data before\r\nexfiltration.\r\nT1074.001\r\nData Staged: Local Data\r\nStaging\r\nOilRig’s downloaders create central staging\r\ndirectories for use by other OilRig tools and\r\ncommands.\r\nCommand and\r\nControl\r\nT1132.001\r\nData Encoding: Standard\r\nEncoding\r\nOilRig’s downloaders base64 decode data before\r\nsending it to the C\u0026C server.\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric Cryptography\r\nOilRig’s downloaders use the XOR cipher to encrypt\r\ndata in C\u0026C communication.\r\nT1008 Fallback Channels\r\nOilBooster can use a secondary channel to obtain a\r\nnew refresh token to access the shared OneDrive\r\naccount.\r\nT1105 Ingress Tool Transfer\r\nOilRig’s downloaders have the capability to\r\ndownload additional files from the C\u0026C server for\r\nlocal execution.\r\nT1102.002\r\nWeb Service: Bidirectional\r\nCommunication\r\nOilRig’s downloaders use legitimate cloud service\r\nproviders for C\u0026C communication.\r\nExfiltration\r\nT1020 Automated Exfiltration\r\nOilRig’s downloaders automatically exfiltrate staged\r\nfiles to the C\u0026C server.\r\nT1041\r\nExfiltration Over C2\r\nChannel\r\nOilRig’s downloaders use their C\u0026C channels for\r\nexfiltration.\r\nhttps://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/\r\nPage 18 of 19\n\nTactic ID Name Description\r\nT1567.002\r\nExfiltration Over Web\r\nService: Exfiltration to\r\nCloud Storage\r\nOilBooster and ODAgent exfiltrate data to shared\r\nOneDrive accounts.\r\nT1567\r\nExfiltration Over Web\r\nService\r\nSC5k and OilCheck exfiltrate data to shared\r\nExchange and Outlook accounts.\r\nSource: https://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/\r\nhttps://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/" ], "report_names": [ "oilrig-persistent-attacks-cloud-service-powered-downloaders" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "cde987a8-c71f-49e2-b761-5b7fa2b4ada6", "created_at": "2022-10-25T16:07:23.706646Z", "updated_at": "2026-04-10T02:00:04.719127Z", "deleted_at": null, "main_name": "Hexane", "aliases": [ "ATK 120", "Cobalt Lyceum", "G1001", "Lyceum", "Operation Out to Sea", "Siamesekitten", "Yellow Dev 9" ], "source_name": "ETDA:Hexane", "tools": [ "DanBot", "DanDrop", "Decrypt-RDCMan.ps1", "Get-LAPSP.ps1", "James", "Milan", "kl.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "a7df240e-6750-4b71-99de-85831b92faa2", "created_at": "2022-10-25T15:50:23.859253Z", "updated_at": "2026-04-10T02:00:05.285965Z", "deleted_at": null, "main_name": "HEXANE", "aliases": [ "Lyceum", "Siamesekitten", "Spirlin" ], "source_name": "MITRE:HEXANE", "tools": [ "Milan", "netstat", "BITSAdmin", "DnsSystem", "DanBot", "ipconfig", "Mimikatz", "Kevin", "PoshC2" ], "source_id": "MITRE", "reports": null }, { "id": "8d76e350-dfb5-4733-800d-876de41f690d", "created_at": "2023-01-06T13:46:38.841887Z", "updated_at": "2026-04-10T02:00:03.119083Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [ "COBALT EDGEWATER" ], "source_name": "MISPGALAXY:DNSpionage", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fb8f3a5f-01a9-498e-9396-52f844424c33", "created_at": "2023-01-06T13:46:39.045338Z", "updated_at": "2026-04-10T02:00:03.195743Z", "deleted_at": null, "main_name": "LYCEUM", "aliases": [ "Spirlin", "MYSTICDOME", "siamesekitten", "Chrono Kitten", "Storm-0133", "COBALT LYCEUM", "UNC1530" ], "source_name": "MISPGALAXY:LYCEUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4632103e-8035-4a83-9ecb-c1e12e21288c", "created_at": "2022-10-25T16:07:23.542255Z", "updated_at": "2026-04-10T02:00:04.64888Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [], "source_name": "ETDA:DNSpionage", "tools": [ "Agent Drable", "AgentDrable", "CACTUSPIPE", "DNSpionage", "DropperBackdoor", "Karkoff", "MailDropper", "OILYFACE" ], "source_id": "ETDA", "reports": null }, { "id": "386b1b0a-9217-46d4-a0d6-73d6286154e0", "created_at": "2025-08-07T02:03:24.760429Z", "updated_at": "2026-04-10T02:00:03.619131Z", "deleted_at": null, "main_name": "COBALT LYCEUM", "aliases": [ "DEV-0133 ", "HEXANE ", "ScorchedEpoch " ], "source_name": "Secureworks:COBALT LYCEUM", "tools": [ "DanBot", "MilanRAT", "RGDoor", "SharkWork RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434704, "ts_updated_at": 1775792257, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/71c864e9b9fe3ecf65188a8d41e5fed057873005.pdf", "text": "https://archive.orkl.eu/71c864e9b9fe3ecf65188a8d41e5fed057873005.txt", "img": "https://archive.orkl.eu/71c864e9b9fe3ecf65188a8d41e5fed057873005.jpg" } }