Adam Burgher

Phosphorescent Connections and Shifting Oil Reserves: Overlap in Middle Eastern Threat Actors

In this presentation, we will discuss recent campaigns by Middle Eastern threat actors OilRig, APT35 (aka Phosphorous), and Agrius. Attendees will hear about a new OilRig campaign and their shift in C&C methodology; a sharp APT35 pivot from public vulnerability exploitation to an low-key custom backdoor campaign that is ongoing; and an Agrius wiping campaign called Fantasy Vacation that targets the diamond industry with ties to APT35.

OilRig is a cyberespionage group that has been active since at least 2014. The group targets Middle Eastern governments and a variety of business verticals. We will present recent OilRig activity targeting Israeli government officials with a solar system themed backdoor, Solar, and a downloader called SampleCheck5000 which uses a Microsoft API as a dead drop and a C&C server. We will discuss OilRig’s ongoing shift away from traditional C&C infrastructure towards Microsoft APIs and the difficulty that presents for tracking OilRig.

Then we will pivot to APT35 (aka Charming Kitten, TA453, Phosphorous, or COBALT MIRAGE), a group that targets education, government, healthcare organizations, human rights activists, and journalists in Israel, the Middle East, and the United States. We will disclose APT35’s newest campaign against targets in Israel that started in November 2021 and has continued undisclosed to today. We will discuss their backdoor’s efforts to stay under the radar and the tools and victims in common with Agrius and MuddyWater, and consider the possibility that these groups might be more closely related than previously discussed.

Lastly, we will discuss Agrius, a newer group targeting victims in Israel and the United Arab Emirates since 2020. The group initially deployed a wiper, Apostle, disguised as ransomware, but later modified Apostle into fully fledged ransomware. Agrius exploits known vulnerabilities in internet-facing applications to install webshells, then conducts internal reconnaissance before moving laterally.

Adam Burgher is a Senior Threat Intelligence Analyst in the security intelligence program at ESET. His primary role includes threat hunting and reverse engineering APTs.

Prior to joining ESET, he spent five years in the hospitality and retail verticals threat hunting and analyzing malware, and 10 years in similar roles with the U.S. government.