Zuzana Hromcova

They spilled oil in my health-boosting smoothie: How OilRig keeps access to healthcare orgs and Israeli local governments

OilRig is a well-known Iran-aligned cyberespionage group, allegedly under the MOIS (Ministry of Intelligence and Security), that has been targeting Middle Eastern governments and a variety of business verticals since at least 2014. In this presentation, we study the group’s persistent attacks on Israeli healthcare and local governments, often with the same organizations targeted multiple times over the course of several years, suggesting that OilRig considers them to be of high espionage value.

We look at the group through the eyes of an Israeli local government organization and a group of healthcare organizations, that recovered from the Out to Sea compromise in 2021, only to find themselves retargeted by several versions of OilRig’s SC5k downloader, followed by the new OilBooster and Mango backdoors throughout 2022.

In the process, we disclose the previously undocumented 2021 Outer Space and 2022 Juicy Mix campaigns, notable for their new C# backdoors dubbed Solar and Mango, and a set of custom post-compromise tools that are used to collect credentials, cookies, and browsing history from major browsers and from the Windows Credential Manager. Although these are not sophisticated tools, they are tweaked frequently, and we inspect the added layers of obfuscation and detection evasion techniques.

Next, we discuss OilRig’s ongoing shift away from traditional C&C infrastructure towards Microsoft APIs. We look at the mechanism behind using the OneDrive API (OilBooster) and Microsoft Office 365 API (SC5k downloader) for their C&C communications, and the difficulty this presents for tracking OilRig.

Finally, we focus on the group’s characteristic TTPs that remain unchanged despite the constant stream of updated and newly developed tools – including their frequent coding mistakes, noisy presence on compromised systems, and other characteristics that allow us to keep a close eye on the group.

Zuzana Hromcová is a malware researcher at ESET’s Montréal research team. Her professional journey has been shaped by both her studies – she holds a master’s degree in computer science – as well as her interest in solving logical puzzles and challenges. Three-times a Slovak sudoku champion, with numerous appearances at World Sudoku and World Puzzle Championships, she spent a decade sharpening her analytical skills for a job that was yet to come.
In 2016, she has joined @ESETResearch and moved on from solving logical puzzles to dissecting malicious binaries and dismantling espionage campaigns. Zuzana focuses on targeted threats and is a frequent speaker at security conferences, having shared her research with the audience at RSAC, Black Hat, BlueHat IL, Virus Bulletin and other events.