OilRig Targets Middle Eastern Telecommunications Organizations

By Edgar Namoca on October 15, 2020

(By: Edgar Namoca on September 17, 2020)

Executive Summary

On July 22, 2020 an article was published on the research of recent targeted attacks on Middle Eastern telecommunications organizations.  The research published was done by Unit 42 a cyber security research group within Palo Alto.  When analyzing the attacks on the Middle Eastern telecommunications organizations researchers discovered a variant of a tool called RDAT which is associated with the advanced persistent attack (ATP) 34, also addressed as OilRig by the research group Unit 42 but, better known as Helix Kitten the Iranian hacker group.  In May of 2020 Symantec published research on an ATP going by the name of Greenbug who was also targeting telecommunications groups in Southeast Asia.  The attacks researched by Symantec involved attacks as recent as April 2020.  These two attacks used custom Mimikatz tools, Bitvise, and PowerShell downloaders and a custom back door.  These set of tools were tracked as RDAT by Unit 42 and they previously linked Greenbug to OilRig.  Later, Unit 42 determined that Greenbug and OilRig are two separate actors, being that Greenbug used a different command and control channel for their back door.

History

RDAT first surfaced October 17, 2017, 11 days after a paper was published by Unit 42, exposing web shell activity vulnerability that was previously used by OilRig.  After gaining access to the victim’s computer through the web shell vulnerability it was believed that RDAT is used to gain continued access to the victim.  From 2017 to now 13 attacks have been captured with the similar operation.  In April 2020, a potential breach of a telecommunications organization in the middle east was observed.  The files used during the breach included custom Mimikatz Samples for dumping system credentials. Bitvise client to create SSH tunnels called RDAT and, ISMDOOR identified as a known tool of OilRig used for DNS tunneling.  A capture of RDAT used against Middle Easter Telecommunications organizations on March 1, 2020, gained access to a server of the telecommunications organizations by exploiting a web shell.  This followed this similar pattern of using Mimikatz, Bitvise, and RDAT to create a back door for extended control of the server.  Once the adversaries had control of the server they configured it to use the domain rsshay.com as their control and command domain.  This capture of RDAT used DNS tunneling to issue commands to the compromised server.  RDAT was used by adversaries to exfiltrate data.  Adversaries attempted to obfuscate data by encoding the data in base 32 then encoding that data AES using a 16-bit key to encrypt the exfiltrated data further.  The most recent version of RDAT that was captured used Exchange Web Services as their command and control channel and steganography to hide data.

Operation of RDAT

The newest capture of RDAT will start by obtaining a compromised account to receive emails from the threat actor.  The adversary used two emails in the latest capture.  These two emails were used to send and receive emails to command and control the compromised host. The adversaries then set inbox rules to move emails from the compromised email accounts to the junk folder.  RDAT will continually look in the junk folder for emails sent by the threat actors.  The payload sent by threat actors will be hidden within BMP images.  To exfiltrate data the compromised computer will then draft an email to the adversary and attach a BMP image with the hidden data inside of it later sending it to the threat actors email address.  The operations of emails being sent and revived will be done through post request that were programed in the RDAT tool.

Conclusion

RDAT is a backdoor tool that is being used by the OilRig Threat group.  This Tool has been in development for the last few years and it is now becoming more complex.  It has showed multiple versions with different functions and methods of communication.  In the most recent attack RDAT was using Exchange Web Services to send and receive messages with from the threat actors using steganography to hide the messages into images.  This malware shows the evolution and determination of adversaries over time.

References

[1]https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/

[2]https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/

[3]https://malpedia.caad.fkie.fraunhofer.de/actor/oilrig

[4]https://threatpost.com/oilrig-apt-unique-backdoor/157646/#:~:text=The%20RDAT%20tool%20uses%20email,data%20and%20commands%20inside%20images.&text=The%20combination%20of%20using%20emails,higher%20chances%20of%20defense%20evasion.%E2%80%9D