Security News > 2020 > July > OilRig APT Drills into Malware Innovation with Unique Backdoor
The backdoor first debuted as a proprietary OilRig weapon in 2017 and has gone through several updates since then, the firm noted, adding that timestamps indicate that OilRig added the steganography trick to RDAT's profile as far back as 2018.
"To send emails from the compromised host, the payload uses the email associated with the account logged into the compromised host, as it uses the WinHTTP library to make requests to the API , which automatically attempts to log onto Exchange using the default credentials," according to the report.
OilRig meanwhile communicates with RDAT in turn by sending emails to the compromised account.
"The payload will issue a request to the EWS API to check for unread emails from the actor's email addresses with an attachment," researchers said.
"If the payload obtains an email sent by the actor, the payload will process the response to the SOAP request and send additional requests to the EWS API to get the email, the attachment and the contents of the attachmentIt then saves this content to a file in the %TEMP% folder with a '.bmp' file extension. It then issues a SOAP request to delete the processed email."