Home
Software
OilCheck

OilCheck

OilCheck is a C#/.NET downloader that has been used byOilRig since at least 2022 including against targets in Israel.OilCheck uses draft messages created in a shared email account for C2 communication.^[1]

ID: S1171

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 26 November 2024

Last Modified: 27 November 2024

Version Permalink

Live Version

Enterprise Layer

download view

Techniques Used

Domain	ID		Name	Use
Enterprise	T1567		Exfiltration Over Web Service	OilCheck can upload documents from compromised hosts to a shared Microsoft Office 365 Outlook email account for exfiltration.^[1]
Enterprise	T1105		Ingress Tool Transfer	OilCheck can download staged payloads from an actor-controlled infrastructure.^[1]
Enterprise	T1102	.002	Web Service:Bidirectional Communication	OilCheck can use a REST-based Microsoft Graph API to access draft messages in a shared Microsoft Office 365 Outlook email account used for C2 communication.^[1]

Groups That Use This Software

ID	Name	References
G0049	OilRig	^[1]

References

Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024.

Movatterモバイル変換

OilCheck

Enterprise Layer

Techniques Used

Groups That Use This Software

References