^[8]

^[9]

This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.^[7][1][10]

^[7][9]

^[6]

^[11]

^[11]

^[12]

^[13]

^[14]

^[15]

^[16]

^[16]

OilRig has runnet user,net user /domain,net group "domain admins" /domain, andnet group "Exchange Trusted Subsystem" /domain to get account listings on a victim.^[4]

OilRig has runnet user,net user /domain,net group "domain admins" /domain, andnet group "Exchange Trusted Subsystem" /domain to get account listings on a victim.^[4]

OilRig has set up fake VPN portals, conference sign ups, and job application websites to target victims.^[3]

OilRig has used HTTP for C2.^[6][17][18]

DuringOuter Space,OilRig used HTTP to communicate between installed backdoors and compromised servers including via the Microsoft Exchange Web Services API.^[16]

DuringJuicy Mix,OilRig used a VBS script to send POST requests to register installed malware with C2.^[16]

OilRig has used DNS for C2 including the publicly availablerequestbin.net tunneling service.^{[6][17][18][10]}

OilRig has used automated collection.^[6]

DuringOuter Space,OilRig used a Chrome data dumper named MKG.^[16]

DuringJuicy Mix,OilRig used the CDumper (Chrome browser) and EDumper (Edge browser) data stealers to collect cookies, browsing history, and credentials.^[16]

OilRig has used brute force techniques to obtain credentials.^[17][12]

OilRig has used infostealer tools to copy clipboard data.^[14]

OilRig has used various types of scripting for execution.^{[1][19][20][7][21]}

OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents.^{[1][22][9][13]}

DuringJuicy Mix,OilRig used a PowerShell script to steal credentials.^[16]

OilRig has used macros to deliver malware such asQUADAGENT andOopsIE.^{[1][19][20][7][21]}OilRig has used batch scripts.^{[1][19][20][7][21]}

OilRig has used VBScript macros for execution on compromised hosts.^[10]

DuringOuter Space,OilRig used VBS droppers to deploy malware.^[16]

DuringJuicy Mix,OilRig used VBS droppers to deliver and establish persistence for theMango backdoor.^[16]

OilRig has compromised email accounts to send phishing emails.^[3]

DuringOuter Space,OilRig compromised an Israeli human resources site to use as a C2 server.^[16]

DuringJuicy Mix,OilRig compromised an Israeli job portal to use for a C2 server.^[16]

OilRig has used a compromised Domain Controller to create a service on a remote host.^[14]

OilRig has used credential dumping tools such asLaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.^{[6][17][23][18]}

OilRig has used credential dumping tools such asLaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.^{[6][17][23][18]}OilRig has also used tool named PICKPOCKET to dump passwords from web browsers.^[18]

DuringJuicy Mix,OilRig used the CDumper (Chrome browser) and EDumper (Edge browser) to collect credentials.^[16]

OilRig has used credential dumping tool named VALUEVAULT to steal credentials from the Windows Credential Manager.^[18]

DuringJuicy Mix,OilRig used a Windows Credential Manager stealer for credential access.^[16]

DuringJuicy Mix,OilRig used a VBS script to send the Base64-encoded name of the compromised computer to C2.^[16]

OilRig has used PowerShell to upload files from compromised systems.^[13]

OilRig has used Wireshark’s usbcapcmd utility to capture USB traffic.^[14]

DuringJuicy Mix,OilRig used browser data and credential stealer tools to stage stolen files named Cupdate, Eupdate, and IUpdate in the %TEMP% directory.^[16]

AOilRig macro has run a PowerShell command to decode file contents.OilRig has also usedcertutil to decode base64-encoded files on victims.^{[1][22][20][24]}

DuringJuicy Mix,OilRig used a script to concatenate and deobfuscate encoded strings inMango.^[16]

OilRig actively developed and used a series of downloaders during 2022.^[25]

ForOuter Space,OilRig created new implants including theSolar backdoor.^[16]

ForJuicy Mix,OilRig improved onSolar by developing theMango backdoor.^[16]

OilRig used thePowerExchange utility and other tools to create tunnels to C2 servers.^[17]

DuringOuter Space,OilRig created M365 email accounts to be used as part of C2.^[16]

OilRig has exfiltrated data via Microsoft Exchange and over FTP separately from its primary C2 channel over DNS.^[5][13]

OilRig has exploited CVE-2024-30088 to run arbitrary code in the context ofSYSTEM.^[13]

OilRig has exploited the Windows Kernel Elevation of Privilege vulnerability, CVE-2024-30088.^[13]

OilRig uses remote services such as VPN, Citrix, or OWA to persist in an environment.^[17]

OilRig malware ISMAgent falls back to its DNS tunneling mechanism if it is unable to reach the C2 server over HTTP.^[19]

OilRig has modified Windows firewall rules to enable remote access.^[14]

OilRig has deleted files associated with their payload after execution.^[1][20]

OilRig had downloaded remote files onto victim infrastructure.^[1][13]

DuringOuter Space,OilRig downloaded additional tools to comrpomised infrastructure.^[16]

OilRig has employed keyloggers including KEYPUNCH and LONGWATCH.^[17][18][14]

OilRig has used .doc file extensions to mask malicious executables.^[10]

OilRig has named a downloaded copy of the Plink tunneling utility as \ProgramData\Adobe.exe.^[14]

OilRig has registered a password filter DLL in order to drop malware.^[13]

OilRig has used reg.exe to modify system configuration.^[14][13]

OilRig has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning.^[17]

OilRig has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion.^[2][21]

OilRig has encrypted and encoded data in its malware, including by using base64.^{[1][7][6][9][21]}

DuringOuter Space,OilRig deployed VBS droppers with obfuscated strings.^[16]

OilRig has made use of the publicly available tools including Plink andMimikatz.^[14][13]

OilRig has obtained stolen code signing certificates to digitally sign malware.^[3]

OilRig has abused the Outlook Home Page feature for persistence.OilRig has also used CVE-2017-11774 to roll back the initial patch designed to protect against Home Page abuse.^[26]

OilRig has used credential dumping tools such asMimikatz to steal credentials to accounts logged into the compromised system and to Outlook Web Access.^{[6][17][23][18]}

OilRig has used credential dumping tools such asLaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.^{[6][17][23][18]}

OilRig has used credential dumping tools such asLaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.^{[6][17][23][18]}

OilRig has used net.exe in a script withnet accounts /domain to find the password policy of a domain.^[27]

OilRig has used tools to identify if a mouse is connected to a targeted system.^[10]

OilRig has usednet localgroup administrators to find local administrators on compromised systems.^[4][14]

OilRig has usednet group /domain,net group "domain admins" /domain, andnet group "Exchange Trusted Subsystem" /domain to find domain group permission settings.^[4]

OilRig has sent spearphising emails with malicious attachments to potential victims using compromised and/or spoofed email accounts.^{[20][7][9][3]}

OilRig has sent spearphising emails with malicious links to potential victims.^[20][3]

OilRig has used LinkedIn to send spearphishing links.^[18]

OilRig has runtasklist on a victim's machine and used infostealers to capture processes.^[4][14]

OilRig has used the Plink utility and other tools to create tunnels to C2 servers.^{[6][17][18][14]}

OilRig has usedreg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" on a victim to query the Registry.^[4]

OilRig has incorporated remote monitoring and management (RMM) tools into their operations includingngrok.^[13]

OilRig has used Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment.^{[6][17][24][14][14]}

OilRig has used Putty to access compromised systems.^[6]

OilRig has created scheduled tasks that run a VBScript to execute a payload on victim machines.^{[20][7][18][10]}

DuringJuicy Mix,OilRig used VBS droppers to schedule tasks for persistence.^[16]

OilRig has a tool called CANDYKING to capture a screenshot of user's desktop.^[17]

OilRig has used web shells, often to maintain access to a victim network.^{[6][17][24][13]}

DuringJuicy Mix,OilRig used browser data dumper tools to create a list of users with Google Chrome installed.^[16]

OilRig has hosted malware on fake websites designed to target specific audiences.^[3]

OilRig has signed its malware with stolen certificates.^[3]

OilRig has leveraged compromised organizations to conduct supply chain attacks on government entities.^[13]

OilRig has used a CHM payload to load and execute another malicious file once delivered to a victim.^[4]

OilRig has runhostname andsysteminfo on a victim.^{[4][5][18][10][14]}

DuringJuicy Mix,OilRig used a script to send the name of the compromised host via HTTPPOST to register it with C2.^[16]

OilRig has runipconfig /all on a victim.^[4][5]

OilRig has usednetstat -an on a victim to get a listing of network connections.^[4]

OilRig has runwhoami on a victim.^[4][5][10]

OilRig has usedsc query on a victim to gather information about services.^[4]

OilRig has used credential dumping tools such asLaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.^{[6][17][23][18]}

OilRig has delivered malicious links to achieve execution on the target system.^{[20][7][9][3]}

OilRig has delivered macro-enabled documents that required targets to click the "enable content" button to execute the payload on the system.^{[20][7][9][10][3]}

OilRig has used compromised credentials to access other systems on a victim network.^{[6][17][24][12]}

OilRig has used an exfiltration tool named STEALHOOK to retreive valid domain credentials.^[13]

OilRig has used macros to verify if a mouse is connected to a compromised machine.^[10]

OilRig has used WMI for execution.^[17][14]

OilRig has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks.^[28]

OilRig has embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script.^[29]

OilRig used spearphishing emails with malicious Microsoft Excel spreadsheet attachments.^[29]

OilRig communicated with its command and control using HTTP requests.^[29]

OilRig utilized stolen credentials to gain access to victim machines.^[30]