Security News > 2023 > December > OilRig targets Israel organizations with new lightweight downloaders

ESET researchers analyzed a growing series of new OilRig downloaders that the group used in several campaigns throughout 2022 to maintain access to target organizations of special interest, all located in Israel.

These downloaders share similarities with the MrPerfectionManager and PowerExchange backdoors - other recent additions to OilRig's toolset that use email-based C&C protocols - with the difference that SC5k, OilBooster, ODAgent, and OilCheck use attacker-controlled cloud service accounts rather than the victim's internal infrastructure.

The downloader ODAgent was detected in the network of a manufacturing company in Israel - interestingly, the same organization was previously affected by OilRig's SC5k downloader, and later by another new downloader, OilCheck, between April and June 2022.

Throughout 2022, ESET observed the same pattern being repeated on multiple occasions, with new downloaders being deployed in the networks of previous OilRig targets: For example, between June and August 2022, ESET detected the OilBooster, SC5k v1, and SC5k v2 downloaders and the Shark backdoor, all in the network of a local governmental organization in Israel.

OilRig has used these downloaders only against a limited number of targets, according to ESET telemetry, and all of them were persistently targeted months earlier by other OilRig tools.

As it is common for organizations to access Office 365 resources, OilRig's cloud service-powered downloaders can thus blend more easily into the regular stream of network traffic - apparently also the reason why the attackers chose to deploy these downloaders to a small group of especially interesting, repeatedly victimized targets.

News URL

https://www.helpnetsecurity.com/2023/12/15/oilrig-downloaders-attacks-israeli-organizations/