Security News > 2020 > July > OilRig APT Drills into Malware Innovation with Unique Backdoor
The backdoor first debuted as a proprietary OilRig weapon in 2017 and has gone through several updates since then, the firm noted, adding that timestamps indicate that OilRig added the steganography trick to RDAT's profile as far back as 2018.
"To send emails from the compromised host, the payload uses the email associated with the account logged into the compromised host, as it uses the WinHTTP library to make requests to the API , which automatically attempts to log onto Exchange using the default credentials," according to the report.
OilRig meanwhile communicates with RDAT in turn by sending emails to the compromised account.
"The payload will issue a request to the EWS API to check for unread emails from the actor's email addresses with an attachment," researchers said.
"If the payload obtains an email sent by the actor, the payload will process the response to the SOAP request and send additional requests to the EWS API to get the email, the attachment and the contents of the attachmentIt then saves this content to a file in the %TEMP% folder with a '.bmp' file extension. It then issues a SOAP request to delete the processed email."
News URL
https://threatpost.com/oilrig-apt-unique-backdoor/157646/
Related news
- Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor (source)
- APT-K-47 Uses Hajj-Themed Lures to Deliver Advanced Asyncshell Malware (source)
- Salt Typhoon hackers backdoor telcos with new GhostSpider malware (source)
- APT-C-60 Hackers Exploit StatCounter and Bitbucket in SpyGlace Malware Campaign (source)
- Secret Blizzard Deploys Kazuar Backdoor in Ukraine Using Amadey Malware-as-a-Service (source)
- The Mask APT Resurfaces with Sophisticated Multi-Platform Malware Arsenal (source)
- Bitter APT Targets Turkish Defense Sector with WmRAT and MiyaRAT Malware (source)