Outer Space
Outer Space was a campaign conducted byOilRig throughout 2021 that used theSampleCheck5000 downloader andSolar backdoor to target Israeli organizations.[1]
Groups
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol:Web Protocols | DuringOuter Space,OilRig used HTTP to communicate between installed backdoors and compromised servers including via the Microsoft Exchange Web Services API.[1] |
| Enterprise | T1217 | Browser Information Discovery | DuringOuter Space,OilRig used a Chrome data dumper named MKG.[1] | |
| Enterprise | T1059 | .005 | Command and Scripting Interpreter:Visual Basic | DuringOuter Space,OilRig used VBS droppers to deploy malware.[1] |
| Enterprise | T1584 | .004 | Compromise Infrastructure:Server | DuringOuter Space,OilRig compromised an Israeli human resources site to use as a C2 server.[1] |
| Enterprise | T1587 | .001 | Develop Capabilities:Malware | ForOuter Space,OilRig created new implants including theSolar backdoor.[1] |
| Enterprise | T1585 | .003 | Establish Accounts:Cloud Accounts | DuringOuter Space,OilRig created M365 email accounts to be used as part of C2.[1] |
| Enterprise | T1105 | Ingress Tool Transfer | DuringOuter Space,OilRig downloaded additional tools to comrpomised infrastructure.[1] | |
| Enterprise | T1027 | .013 | Obfuscated Files or Information:Encrypted/Encoded File | DuringOuter Space,OilRig deployed VBS droppers with obfuscated strings.[1] |