{"id":8461,"date":"2023-09-21T12:00:00","date_gmt":"2023-09-21T09:00:00","guid":{"rendered":"https:\/\/blog.eset.ee\/et\/2023\/09\/21\/oilrigs-outer-space-and-juicy-mix-same-ol-rig-new-drill-pipes\/"},"modified":"2023-09-21T12:00:00","modified_gmt":"2023-09-21T09:00:00","slug":"oilrigs-outer-space-and-juicy-mix-same-ol-rig-new-drill-pipes","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2023\/09\/21\/oilrigs-outer-space-and-juicy-mix-same-ol-rig-new-drill-pipes\/","title":{"rendered":"OilRig\u2019s Outer Space and Juicy Mix: Same ol\u2019 rig, new drill pipes"},"content":{"rendered":"<blockquote>\n<div>UPDATE (June 5<sup>th<\/sup>, 2025): Since publishing this blogpost, we have updated our tracking to better reflect the full range and complexity of the malicious activities carried out by the OilRig APT group. As a result, we are now tracking OilRig as a parent group with several subgroups. The activities described in this blogpost fall under the OilRig subgroup named Lyceum.<\/div>\n<div>\n<\/div>\n<div>Lyceum, also known as HEXANE or Storm-0133, is an advanced threat group that focuses on targeting various Israeli organizations, including governmental and local governmental entities and organizations in healthcare. Major tools we attribute to Lyceum include <a href=\"https:\/\/vblocalhost.com\/uploads\/VB2021-Kayal-etal.pdf\">DanBot<\/a>, the <a href=\"https:\/\/web.archive.org\/web\/20230129145433\/https:\/www.prevailion.com\/latest-targets-of-cyber-group-lyceum\/\">Shark, Milan<\/a>, and Marlin backdoors, <a href=\"index.html\">Solar and Mango<\/a>, <a href=\"https:\/\/web-assets.esetstatic.com\/wls\/en\/papers\/threat-reports\/eset-apt-activity-report-q2-2023-q3-2023.pdf\">OilForceGTX<\/a>, and a <a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/oilrig-persistent-attacks-cloud-service-powered-downloaders\/\">variety of downloaders<\/a> using legitimate cloud services for C&amp;C communication.<\/div>\n<\/blockquote>\n<p>ESET researchers have analyzed two campaigns by the OilRig APT group: Outer Space (2021), and Juicy Mix (2022). Both of these cyberespionage campaigns targeted Israeli organizations exclusively, which is in line with the group\u2019s focus on the Middle East, and used the same playbook: OilRig first compromised a legitimate website to use as a C&amp;C server and then used VBS droppers to deliver a C#\/.NET backdoor to its victims, while also deploying a variety of post-compromise tools mostly used for data exfiltration on the target systems.<\/p>\n<p>In their Outer Space campaign, OilRig used a simple, previously undocumented C#\/.NET backdoor we named Solar, along with a new downloader, SampleCheck5000 (or SC5k), that uses the Microsoft Office Exchange Web Services API for C&amp;C communication. For the Juicy Mix campaign, the threat actors improved on Solar to create the Mango backdoor, which possesses additional capabilities and obfuscation methods. In addition to detecting the malicious toolset, we also notified the Israeli CERT about the compromised websites.<\/p>\n<blockquote>\n<div><strong>Key points of this blogpost:<\/strong><\/div>\n<ul>\n<li>ESET observed two OilRig campaigns which occurred throughout 2021 (Outer Space) and 2022 (Juicy Mix).<\/li>\n<li>The operators exclusively targeted Israeli organizations and compromised legitimate Israeli websites for use in their C&amp;C communications.<\/li>\n<li>They used a new, previously undocumented C#\/.NET first-stage backdoor in each campaign: Solar in Outer Space, then its successor Mango in Juicy Mix.<\/li>\n<li>Both backdoors were deployed by VBS droppers, presumably spread via spearphishing emails.<\/li>\n<li>A variety of post-compromise tools were deployed in both campaigns, notably the SC5k downloader that uses Microsoft Office Exchange Web Services API for C&amp;C communication, and several tools to steal browser data and credentials from Windows Credential Manager.<\/li>\n<\/ul>\n<\/blockquote>\n<p>OilRig, also known as APT34, Lyceum, or Siamesekitten, is a cyberespionage group that has been active since at least 2014 and <a href=\"https:\/\/attack.mitre.org\/groups\/G0049\/\">is commonly believed<\/a> to be based in Iran. The group targets Middle Eastern governments and a variety of business verticals, including chemical, energy, financial, and telecommunications. OilRig carried out the DNSpionage campaign in <a href=\"https:\/\/blog.talosintelligence.com\/2018\/11\/dnspionage-campaign-targets-middle-east.html\">2018<\/a> and <a href=\"https:\/\/blog.talosintelligence.com\/2019\/04\/dnspionage-brings-out-karkoff.html\">2019<\/a>, which targeted victims in Lebanon and the United Arab Emirates. In 2019 and 2020, OilRig continued attacks with the <a href=\"https:\/\/www.mandiant.com\/resources\/hard-pass-declining-apt34-invite-to-join-their-professional-network\">HardPass<\/a> campaign, which used LinkedIn to target Middle Eastern victims in the energy and government sectors. In 2021, OilRig updated its <a href=\"https:\/\/vblocalhost.com\/uploads\/VB2021-Kayal-etal.pdf\">DanBot<\/a> backdoor and began deploying the <a href=\"https:\/\/web.archive.org\/web\/20230129145433\/https:\/www.prevailion.com\/latest-targets-of-cyber-group-lyceum\/\">Shark, Milan<\/a>, and Marlin backdoors, mentioned in the <a href=\"https:\/\/web-assets.esetstatic.com\/wls\/en\/papers\/threat-reports\/eset_threat_report_t32021.pdf\">T3 2021 issue<\/a> of the ESET Threat Report.<\/p>\n<p>In this blogpost, we provide technical analysis of the Solar and Mango backdoors, of the VBS dropper used to deliver Mango, and of the post-compromise tools deployed in each campaign.<\/p>\n<h2><a><\/a>Attribution<\/h2>\n<p>The initial link that allowed us to connect the Outer Space campaign to OilRig is the use of the same custom Chrome data dumper (tracked by ESET researchers under the name MKG) as in the <a href=\"https:\/\/web-assets.esetstatic.com\/wls\/en\/papers\/threat-reports\/eset_threat_report_t32021.pdf\">Out to Sea campaign<\/a>. We observed the Solar backdoor deploy the very same sample of MKG as in Out to Sea on the target\u2019s system, along with two other variants.<\/p>\n<p>Besides the overlap in tools and targeting, we also saw multiple similarities between the Solar backdoor and the backdoors used in Out to Sea, mostly related to upload and download: both Solar and Shark, another OilRig backdoor, use URIs with simple upload and download schemes to communicate with the C&amp;C server, with a \u201cd\u201d for download and a \u201cu\u201d for upload; additionally, the downloader SC5k uses uploads and downloads subdirectories just like other OilRig backdoors, namely ALMA, Shark, DanBot, and Milan. These findings serve as a further confirmation that the culprit behind Outer Space is indeed OilRig.<\/p>\n<p>As for the Juicy Mix campaign\u2019s ties to OilRig, besides targeting Israeli organizations \u2013 which is typical for this espionage group \u2013 there are code similarities between Mango, the backdoor used in this campaign, and Solar. Moreover, both backdoors were deployed by VBS droppers with the same string obfuscation technique. The choice of post-compromise tools employed in Juicy Mix also mirrors previous OilRig campaigns.<\/p>\n<h2><a><\/a>Outer Space campaign overview<\/h2>\n<p>Named for the use of an astronomy-based naming scheme in its function names and tasks, Outer Space is an OilRig campaign from 2021. In this campaign, the group compromised an Israeli human resources site and subsequently used it as a C&amp;C server for its previously undocumented C#\/.NET backdoor, Solar. Solar is a simple backdoor with basic functionality such as reading and writing from disk, and gathering information.<\/p>\n<p>Through Solar, the group then deployed a new downloader SC5k, which uses the Office Exchange Web Services API to download additional tools for execution, as shown in Figure <span>1<\/span>. In order to exfiltrate browser data from the victim\u2019s system, OilRig used a Chrome-data dumper called MKG.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure_01_OuterSpace_overview\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/figure-01-outerspace-overview.png\" title=\"\" width=\"\"><figcaption><em>Figure 1. Overview of OilRig\u2019s Outer Space compromise chain<\/em><\/figcaption><\/figure>\n<h2><a><\/a>Juicy Mix campaign overview<\/h2>\n<p>In 2022 OilRig launched another campaign targeting Israeli organizations, this time with an updated toolset. We named the campaign Juicy Mix for the use of a new OilRig backdoor, Mango (based on its internal assembly name, and its filename, <span>Mango.exe<\/span>). In this campaign, the threat actors compromised a legitimate Israeli job portal website for use in C&amp;C communications. The group\u2019s malicious tools were then deployed against a healthcare organization, also based in Israel.<\/p>\n<p>The Mango first-stage backdoor is a successor to Solar, also written in C#\/.NET, with notable changes that include exfiltration capabilities, use of native APIs, and added detection evasion code.<\/p>\n<p>Along with Mango, we also detected two previously undocumented browser-data dumpers used to steal cookies, browsing history, and credentials from the Chrome and Edge browsers, and a Windows Credential Manager stealer, all of which we attribute to OilRig. These tools were all used against the same target as Mango, as well as at other compromised Israeli organizations throughout 2021 and 2022. Figure <span>2<\/span> shows an overview of how the various components were used in the Juicy Mix campaign.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure_01_OuterSpace_overview\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/figure-01-outerspace-overview-1.png\" title=\"\" width=\"\"><figcaption><em>Figure 2. Overview of components used in OilRig\u2019s Juicy Mix campaign<\/em><\/figcaption><\/figure>\n<h2><span>Technical analysis<\/span><\/h2>\n<p>In this section, we provide a technical analysis of the Solar and Mango backdoors and the SC5k downloader, as well as other tools that were deployed to the targeted systems in these campaigns.<\/p>\n<h3><a><\/a>VBS droppers<\/h3>\n<p>To establish a foothold on the target\u2019s system, Visual Basic Script (VBS) droppers were used in both campaigns, which were very likely spread by spearphishing emails. Our analysis below focuses on the VBS script used to drop Mango (SHA-1: <span>3699B67BF4E381847BF98528F8CE2B966231F01A<\/span>); note that Solar\u2019s dropper is very similar.<\/p>\n<p>The dropper\u2019s purpose is to deliver the embedded Mango backdoor, schedule a task for persistence, and register the compromise with the C&amp;C server. The embedded backdoor is stored as a series of base64 substrings, which are concatenated and base64 decoded. As shown in Figure <span>3<\/span>, the script also uses a simple string deobfuscation technique, where strings are assembled using arithmetic operations and the <span>Chr<\/span> function.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure_03_Mango_string_obfuscation\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/figure-03-mango-string-obfuscation.png\" title=\"\"><figcaption><em>Figure 3. String deobfuscation technique used by OilRig\u2019s VBS dropper for Mango<\/em><\/figcaption><\/figure>\n<p>On top of that, Mango\u2019s VBS dropper adds another type of string obfuscation and code to set up persistence and register with the C&amp;C server. As shown in Figure <span>4<\/span>, to deobfuscate some strings, the script replaces any characters in the set <span>#*+-_)(}{@$%^&amp;<\/span> with <span>0<\/span>, then divides the string into three-digit numbers that are then converted into ASCII characters using the <span>Chr<\/span><code><br \/>\n<\/code>function. For example, the string <span>116110101109117+99111$68+77{79$68}46-50108109120115}77<\/span> translates to <span>Msxml2.DOMDocument<\/span>.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure_03_Mango_string_obfuscation\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/figure-03-mango-string-obfuscation-1.png\" title=\"\" width=\"\"><figcaption><em>Figure 4. String obfuscation function used by Mango\u2019s VBS dropper<\/em><\/figcaption><\/figure>\n<p>Once the backdoor is embedded on the system, the dropper moves on to create a scheduled task that executes Mango (or Solar, in the other version) every 14 minutes. Finally, the script sends a base64-encoded name of the compromised computer via a POST request to register the backdoor with its C&amp;C server.<\/p>\n<h3><a><\/a>Solar backdoor<\/h3>\n<p>Solar is the backdoor used in OilRig\u2019s Outer Space campaign. Possessing basic functionalities, this backdoor can be used to, among other things, download and execute files, and automatically exfiltrate staged files.<\/p>\n<p>We chose the name Solar based on the filename used by OilRig, <span>Solar.exe<\/span>. It is a fitting name since the backdoor uses an astronomy naming scheme for its function names and tasks used throughout the binary (<span>Mercury<\/span>, <span>Venus<\/span>, <span>Mars<\/span>, <span>Earth<\/span>, and <span>Jupiter<\/span>).<\/p>\n<p>Solar begins execution by performing the steps shown in Figure <span>5<\/span>.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure_03_Mango_string_obfuscation\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/figure-03-mango-string-obfuscation-1-2.png\" title=\"\" width=\"\"><figcaption><em>Figure 5. Initial execution flow of Solar<\/em><\/figcaption><\/figure>\n<p>The backdoor creates two tasks, <span>Earth<\/span><code><br \/>\n<\/code>and <span>Venus<\/span>, that run in memory. There is no stop function for either of the two tasks, so they will run indefinitely. <span>Earth<\/span><code><br \/>\n<\/code>is scheduled to run every 30 seconds and <span>Venus<\/span><code><br \/>\n<\/code>is set to run every 40 seconds.<\/p>\n<p><span>Earth<\/span> is the primary task, responsible for the bulk of Solar\u2019s functions. It communicates with the C&amp;C server using the function <span>MercuryToSun<\/span>, which sends basic system and malware version information to the C&amp;C server and then handles the server\u2019s response. <span>Earth<\/span> sends the following info to the C&amp;C server:<\/p>\n<ul>\n<li>The string <span>(@) &lt;system hostname&gt;<\/span>; the whole string is encrypted.<\/li>\n<li>The string <span>1.0.0.0<\/span>, encrypted (possibly a version number).<\/li>\n<li>The string <span>30000<\/span>, encrypted (possibly the scheduled runtime of <span>Earth<\/span><code><br \/>\n<\/code>in milliseconds).<\/li>\n<\/ul>\n<p>Encryption and decryption are implemented in functions named <span>JupiterE<\/span><code><br \/>\n<\/code>and <span>JupiterD<\/span>, respectively. Both of them call a function named <span>JupiterX<\/span>, which implements an XOR loop as shown in Figure <span>6<\/span>.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure_03_Mango_string_obfuscation\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/figure-03-mango-string-obfuscation.jpeg\" title=\"\" width=\"\"><figcaption><em>Figure 6. The <\/em><span>for <\/span><em>loop in JupiterX that is used to encrypt and decrypt data<\/em><\/figcaption><\/figure>\n<p>The key is derived from a hardcoded global string variable, <span>6sEj7*0B7#7<\/span>, and a <a href=\"https:\/\/csrc.nist.gov\/glossary\/term\/nonce\">nonce<\/a>: in this case, a random hex string from 2\u201324 characters long. Following the XOR encryption, standard base64 encoding is applied.<\/p>\n<p>An Israeli human resources company\u2019s web server, which OilRig compromised at some point before deploying Solar, was used as the C&amp;C server:<\/p>\n<p><span>http:\/\/organization.co[.]il\/project\/templates\/office\/template.aspx?rt=d&amp;sun=&lt;encrypted_MachineGuid&gt;&amp;rn=&lt;encryption_nonce&gt;<\/span><\/p>\n<p>Prior to being appended to the URI, the encryption nonce is encrypted, and the value of the initial query string, <span>rt<\/span>, is set to <span>d<\/span> here, likely for \u201cdownload\u201d.<\/p>\n<p>The last step of the <span>MercuryToSun<\/span><code><br \/>\n<\/code>function is to process a response from the C&amp;C server. It does so by retrieving a substring of the response, which is found between the characters <span>QQ@<\/span> and <span>@kk<\/span>. This response is a string of instructions separated by asterisks (<span>*<\/span>) that is processed into an array. <span>Earth<\/span><code><br \/>\n<\/code>then carries out the backdoor commands, which include downloading additional payloads from the server, listing files on the victim\u2019s system, and running specific executables.<\/p>\n<p>Command output is then gzip compressed using the function <span>Neptune<\/span><code><br \/>\n<\/code>and encrypted with the same encryption key and a new nonce. Then the results are uploaded to the C&amp;C server, thus:<\/p>\n<p><span>http:\/\/organization.co[.]il\/project\/templates\/office\/template.aspx?rt=u&amp;sun=&lt;MachineGuid&gt;&amp;rn=&lt;new_nonce&gt;<\/span><\/p>\n<p><span>MachineGuid<\/span> and the new nonce are encrypted with the <span>JupiterE<\/span><code><br \/>\n<\/code>function, and here the value of <span>rt<\/span> is set to <span>u<\/span>, likely for \u201cupload\u201d.<\/p>\n<p><span>Venus<\/span>, the other scheduled task, is used for automated data exfiltration. This small task copies the content of files from a directory (also named <span>Venus<\/span>) to the C&amp;C server. These files are likely dropped here by some other, as yet unidentified, OilRig tool. After uploading a file, the task deletes it from disk.<\/p>\n<h3><a><\/a>Mango backdoor<\/h3>\n<p>For its Juicy Mix campaign, OilRig switched from the Solar backdoor to Mango. It has a similar workflow to Solar and overlapping capabilities, but there are nevertheless several notable changes:<\/p>\n<ul>\n<li>Use of TLS for C&amp;C communications.<\/li>\n<li>Use of native APIs, rather than .NET APIs, to execute files and shell commands.<\/li>\n<li>Although not actively used, detection evasion code was introduced.<\/li>\n<li>Support for automated exfiltration (<span>Venus<\/span><code><br \/>\n<\/code>in Solar) has been removed; instead, Mango supports an additional backdoor command for exfiltrating selected files.<\/li>\n<li>Support for log mode has been removed, and symbol names have been obfuscated.<\/li>\n<\/ul>\n<p><span lang=\"EN-US\">Contrary to Solar\u2019s astronomy-themed naming scheme, Mango obfuscates its symbol names, as can be seen in <\/span>Figure <span>7<\/span><span lang=\"EN-US\">. <\/span><\/p>\n<figure><img decoding=\"async\" alt=\"Figure_03_Mango_string_obfuscation\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/figure-03-mango-string-obfuscation-1-2-3.png\" title=\"\" width=\"\"><figcaption><em>Figure 7. Unlike its predecessor Solar (left), Mango\u2019s symbols have been obfuscated<\/em><\/figcaption><\/figure>\n<p><span lang=\"EN-US\">Besides the symbol name obfuscation, Mango also uses the string stacking method (as shown in <\/span>Figure <span>8<\/span><span lang=\"EN-US\"><\/span><span lang=\"EN-US\">) to obfuscate strings, which complicates the use of simple detection methods. <\/span><\/p>\n<figure><img decoding=\"async\" alt=\"Figure_03_Mango_string_obfuscation\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/figure-03-mango-string-obfuscation-1-2-3-4.png\" title=\"\" width=\"\"><figcaption><em>Figure 8. Mango uses string stacking to obfuscate strings and thwart simple detection mechanisms<\/em><\/figcaption><\/figure>\n<p>Similar to Solar, the Mango backdoor starts by creating an in-memory task, scheduled to run indefinitely every 32 seconds. This task communicates with the C&amp;C server and executes backdoor commands, similar to Solar\u2019s <span>Earth<\/span><code><br \/>\n<\/code>task. While Solar also creates <span>Venus<\/span>, a task for automated exfiltration, this functionality has been replaced in Mango by a new backdoor command.<\/p>\n<p><span lang=\"EN-US\">In the main task, Mango first generates a victim identifier, <\/span><span>&lt;victimID&gt;<\/span><span lang=\"EN-US\">, to be used in C&amp;C communications. The ID is computed as an MD5 hash of <\/span><span>&lt;machine name&gt;&lt;username&gt;<\/span><span lang=\"EN-US\">, formatted as a hexadecimal string.<\/span><\/p>\n<p>To request a backdoor command, Mango then sends the string <span>d@&lt;victimID&gt;@&lt;machine name&gt;|&lt;username&gt;<\/span> to the C&amp;C server <span>http:\/\/www.darush.co[.]il\/ads.asp<\/span> \u2013 a legitimate Israeli job portal, likely compromised by OilRig before this campaign. We notified the Israeli national CERT organization about the compromise.<\/p>\n<p>The request body is constructed as follows:<\/p>\n<ul>\n<li>The data to be transmitted is XOR encrypted using the encryption key <span>Q&amp;4g<\/span>, then base64 encoded.<\/li>\n<li>A pseudorandom string of 3\u201314 characters is generated from this alphabet (as it appears in the code): <span>i8p3aEeKQbN4klFMHmcC2dU9f6gORGIhDBLS0jP5Tn7o1AVJ<\/span>.<\/li>\n<li>The encrypted data is inserted in a pseudorandom position within the generated string, enclosed between <span> [@<\/span> and <span>@]<\/span> delimiters.<\/li>\n<\/ul>\n<p>To communicate with its C&amp;C server, Mango uses the TLS (Transport Layer Security) protocol, which is used to provide an additional layer of encryption<span>.<\/span><\/p>\n<p>Similarly, the backdoor command received from the C&amp;C server is XOR encrypted, base64 encoded, and then enclosed between <span>[@<\/span> and <span>@]<\/span> within the HTTP response body. The command itself is either <span>NCNT<\/span><code><br \/>\n<\/code>(in which case no action is taken), or a string of several parameters delimited by<code><br \/>\n<\/code><span>@<\/span>, as detailed in Table <span>1<\/span>, which lists Mango\u2019s backdoor commands. Note that <span>&lt;Arg0&gt;<\/span> is not listed in the table, but is used in the response to the C&amp;C server.<\/p>\n<p><em>Table 1. List of Mango\u2019s backdoor commands<\/em><\/p>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"643\">\n<tbody>\n<tr>\n<td colspan=\"2\" width=\"75\">\n<p><strong><span lang=\"EN-CA\">Arg1<\/span><\/strong><\/p>\n<\/td>\n<td width=\"90\">\n<p><strong><span lang=\"EN-CA\">Arg2<\/span><\/strong><\/p>\n<\/td>\n<td width=\"49\">\n<p><strong><span lang=\"EN-CA\">Arg3<\/span><\/strong><\/p>\n<\/td>\n<td width=\"195\">\n<p><strong><span lang=\"EN-CA\">Action taken<\/span><\/strong><\/p>\n<\/td>\n<td width=\"234\">\n<p><strong><span lang=\"EN-CA\">Return value<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"4\" width=\"58\">\n<p><span><strong>1<\/strong><\/span><strong> or empty string<\/strong><\/p>\n<\/td>\n<td colspan=\"2\" width=\"107\">\n<p><span>+sp &lt;optional arguments&gt;<\/span><\/p>\n<\/td>\n<td width=\"49\">\n<p>N\/A<\/p>\n<\/td>\n<td width=\"195\">\n<p>Executes the specified file\/shell command (with the optional arguments), using the native <span>CreateProcess<\/span> API imported via <span>DllImport<\/span>. If the arguments contain <span>[s]<\/span>, it is replaced by <span>C:WindowsSystem32<\/span>.<\/p>\n<\/td>\n<td width=\"234\">\n<p>Command output.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\" width=\"107\">\n<p><span>+nu<\/span><\/p>\n<\/td>\n<td width=\"49\">\n<p>N\/A<\/p>\n<\/td>\n<td width=\"195\">\n<p>Returns the malware version string and C&amp;C URL.<\/p>\n<\/td>\n<td width=\"234\">\n<p><span>&lt;versionString&gt;|&lt;c2URL&gt;<\/span>; in this case:<\/p>\n<p><span>1.0.0|http:\/\/www.darush.co[.]il\/ads.asp<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\" width=\"107\">\n<p><span>+fl &lt;optional directory name&gt;<\/span><\/p>\n<\/td>\n<td width=\"49\">\n<p>N\/A<\/p>\n<\/td>\n<td width=\"195\">\n<p>Enumerates the content of the specified directory (or current working directory).<\/p>\n<\/td>\n<td width=\"234\">\n<p><span>Directory of &lt;directory path&gt;<\/span><\/p>\n<p>For each subdirectory:<\/p>\n<p><span>&lt;last_write_time&gt; &lt;DIR&gt; &lt;subdirectory name&gt;<\/span><\/p>\n<p>For each file:<\/p>\n<p><span>&lt;last_write_time&gt; FILE &lt;file size&gt; &lt;filename&gt;<\/span><\/p>\n<p><span>&lt;number of subdirectories&gt; Dir(s)<\/span><\/p>\n<p><span>&lt;number of files&gt; File(s)<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\" width=\"107\">\n<p><span>+dn &lt;file name&gt;<\/span><\/p>\n<\/td>\n<td width=\"49\">\n<p>N\/A<\/p>\n<\/td>\n<td width=\"195\">\n<p>Uploads the file content to the C&amp;C server via a new HTTP POST request formatted: <span>u@&lt;victimID&gt;@&lt;machine name&gt;|&lt;username&gt;@&lt;file path&gt;@2@&lt;base64encodedFileContent&gt;<\/span>.<\/p>\n<\/td>\n<td width=\"234\">\n<p>One of:<\/p>\n<p><span><span lang=\"EN-US\"><span>\u00b7<span><br \/>\n<\/span><\/span><\/span><\/span><span>file[&lt;filename&gt;] is uploaded to server.<\/span><\/p>\n<p><span><span lang=\"EN-US\"><span>\u00b7<span><br \/>\n<\/span><\/span><\/span><\/span><span>file not found!<\/span><\/p>\n<p><span lang=\"EN-US\"><span>\u00b7<span><br \/>\n<\/span><\/span><\/span><span>file path empty!<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"58\">\n<p><span><strong>2<\/strong><\/span><\/p>\n<\/td>\n<td colspan=\"2\" width=\"107\">\n<p>Base64-encoded data<\/p>\n<\/td>\n<td width=\"49\">\n<p>Filename<\/p>\n<\/td>\n<td width=\"195\">\n<p>Dumps the specified data into a file in the working directory.<\/p>\n<\/td>\n<td width=\"234\">\n<p><span>file downloaded to path[&lt;fullFilePath&gt;]<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Each backdoor command is handled in a new thread, and their return values are then base64 encoded and combined with other metadata. Finally, that string is sent to the C&amp;C server using the same protocol and encryption method as described above.<\/p>\n<h4>Unused detection evasion technique<\/h4>\n<p>Interestingly, we found an unused <a href=\"https:\/\/blog.xpnsec.com\/protecting-your-malware\/\">detection evasion technique<\/a> within Mango. The function responsible for executing files and commands downloaded from the C&amp;C server takes an optional second parameter \u2013 a process ID. If set, Mango then uses the <span>UpdateProcThreadAttribute<\/span><code><br \/>\n<\/code>API to set the <span>PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY<\/span> (<span>0x20007)<\/span> attribute for the specified process to value: <span>PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON<\/span> (<span>0x100000000000)<\/span>, as shown in Figure <span>9<\/span>.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure_03_Mango_string_obfuscation\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/figure-03-mango-string-obfuscation-1-2-3-4-5.png\" title=\"\" width=\"\"><figcaption><em>Figure 9. Unused security product evasion code in Mango backdoor<\/em><\/figcaption><\/figure>\n<p>This technique\u2019s goal is to block endpoint security solutions from loading their user-mode code hooks via a DLL in this process. While the parameter was not used in the sample we analyzed, it could be activated in future versions.<\/p>\n<h4>Version 1.1.1<\/h4>\n<p>Unrelated to the Juicy Mix campaign, in July 2023 we found a new version of the Mango backdoor (SHA-1: <span>C9D18D01E1EC96BE952A9D7BD78F6BBB4DD2AA2A<\/span>), uploaded to VirusTotal by several users under the name <span>Menorah.exe<\/span>. The internal version in this sample was changed from 1.0.0 to 1.1.1, but the only notable change is the use of a different C&amp;C server, <span>http:\/\/tecforsc-001-site1.gtempurl[.]com\/ads.asp<\/span>.<\/p>\n<p>Along with this version, we also discovered a Microsoft Word document (SHA-1: <span>3D71D782B95F13EE69E96BCF73EE279A00EAE5DB<\/span>) with a malicious macro that drops the backdoor. Figure <span>10<\/span> shows the fake warning message, enticing the user to enable macros for the document, and the decoy content that is displayed afterwards, while the malicious code is running in the background.<\/p>\n<\/p>\n<div>\n<figure><a  href=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/figure-10a-malicious-macro.png\" data-rel=\"lightbox-gallery-0\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\" title=\"\"><img decoding=\"async\" alt=\"Figure_10a_malicious_macro\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/figure-10a-malicious-macro.png\"><\/a><\/figure>\n<figure><a  href=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/figure-10b-decoy-doc.png\" data-rel=\"lightbox-gallery-0\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\" title=\"\"><img decoding=\"async\" alt=\"Figure_10b_decoy_doc\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/figure-10b-decoy-doc.png\"><\/a><\/figure>\n<\/div>\n<p><em>Figure 10. Microsoft Word document with a malicious macro that drops Mango v1.1.1<\/em><\/p>\n<h3><span>Post-compromise tools<\/span><\/h3>\n<p>In this section, we review a selection of post-compromise tools used in OilRig\u2019s Outer Space and Juicy Mix campaigns, aimed at downloading and executing additional payloads, and stealing data from the compromised systems.<\/p>\n<h4>SampleCheck5000 (SC5k) downloader<\/h4>\n<p>SampleCheck5000 (or SC5k) is a downloader used to download and execute additional OilRig tools, notable for using the Microsoft Office Exchange Web Services API for C&amp;C communication: the attackers create draft messages in this email account and hide the backdoor commands in there. Subsequently, the downloader logs into the same account, and parses the drafts to retrieve commands and payloads to execute.<\/p>\n<p>SC5k uses predefined values \u2013 Microsoft Exchange URL, email address, and password \u2013 to log into the remote Exchange server, but it also supports the option to override these values using a configuration file in the current working directory named <span>setting.key<\/span>. We chose the name SampleCheck5000 based on one of the email addresses that the tool used in the Outer Space campaign.<\/p>\n<p>Once SC5k logs into the remote Exchange server, it retrieves all the emails in the <span>Drafts<\/span><code><br \/>\n<\/code>directory, sorts them by most recent, keeping only the drafts that have attachments. It then iterates over every draft message with an attachment, looking for JSON attachments that contain <span>&#8220;data&#8221;<\/span> in the body. It extracts the value from the key <span>data<\/span> in the JSON file, base64 decodes and decrypts the value, and calls <span>cmd.exe<\/span> to execute the resulting command line string. SC5k then saves the output of the <span>cmd.exe<\/span><code><br \/>\n<\/code>execution to a local variable.<\/p>\n<p>As the next step in the loop, the downloader reports the results to the OilRig operators by creating a new email message on the Exchange server and saving it as a draft (not sending), as shown in Figure <span>11<\/span>. A similar technique is used to exfiltrate files from a local staging folder. As the last step in the loop, SC5k also logs the command output in an encrypted and compressed format on disk.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure_03_Mango_string_obfuscation\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/figure-03-mango-string-obfuscation-1.jpeg\" title=\"\" width=\"\"><figcaption><em>Figure 11. Email message creation by SC5k<\/em><\/figcaption><\/figure>\n<h4>Browser-data dumpers<\/h4>\n<p>It is characteristic of OilRig operators to use browser-data dumpers in their post-compromise activities. We discovered two new browser-data stealers among the post-compromise tools deployed in the Juicy Mix campaign alongside the Mango backdoor. They dump the stolen browser data in the <span>%TEMP%<\/span> directory into files named <span>Cupdate<\/span><code><br \/>\n<\/code>and <span>Eupdate<\/span><code><br \/>\n<\/code>(hence our names for them: CDumper and EDumper).<\/p>\n<p>Both tools are C#\/.NET browser-data stealers, collecting cookies, browsing history, and credentials from the Chrome (CDumper) and Edge (EDumper) browsers. We focus our analysis on CDumper, since both stealers are practically identical, save for some constants.<\/p>\n<p>When executed, CDumper creates a list of users with Google Chrome installed. On execution, the stealer connects to the Chrome SQLite <span>Cookies<\/span>, <span>History<\/span><code><br \/>\n<\/code>and <span>Login Data<\/span> databases under <span>%APPDATA%LocalGoogleChromeUser Data<\/span>, and collects browser data including visited URLs and saved logins, using SQL queries.<\/p>\n<p>The cookie values are then decrypted, and all collected information is added to a log file named <span>C:Users&lt;user&gt;AppDataLocalTempCupdate<\/span>, in cleartext. This functionality is implemented in CDumper functions named <span>CookieGrab<\/span><code><br \/>\n<\/code>(see Figure <span>12<\/span>), <span> HistoryGrab,<\/span> and <span>PasswordGrab<\/span>. Note that there is no exfiltration mechanism implemented in CDumper, but Mango can exfiltrate selected files via a backdoor command.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure_03_Mango_string_obfuscation\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/figure-03-mango-string-obfuscation-1-2-3-4-5-6-7.png\" title=\"\" width=\"\"><figcaption><em>Figure 12. CDumper\u2019s CookieGrab function dumps and decrypts cookies from the Chrome data store<\/em><\/figcaption><\/figure>\n<p>In both Outer Space and the earlier <a href=\"https:\/\/web-assets.esetstatic.com\/wls\/en\/papers\/threat-reports\/eset_threat_report_t32021.pdf\">Out to Sea<\/a> campaign, OilRig used a C\/C++ Chrome data dumper called MKG. Like CDumper and EDumper, MKG was also able to steal usernames and passwords, browsing history, and cookies from the browser. This Chrome data dumper is typically deployed in the following file locations (with the first location being the most common):<\/p>\n<ul>\n<li><span><span lang=\"EN-US\"><span><span><br \/>\n<\/span><\/span><\/span><\/span><span>%USERS%publicprogramsvmwaredir&lt;random_14_character_string&gt;mkc.exe<\/span><\/li>\n<li><span>%USERS%PublicM64.exe<\/span><\/li>\n<\/ul>\n<h4>Windows Credential Manager stealer<\/h4>\n<p>Besides browser-data dumping tools, OilRig also used a Windows Credential Manager stealer in the Juicy Mix campaign. This tool steals credentials from Windows Credential Manager, and similar to CDumper and EDumper, stores them in the <span>%TEMP%<\/span> directory \u2013 this time into a file named <span>IUpdate<\/span><code><br \/>\n<\/code>(hence the name IDumper). Unlike CDumper and EDumper, IDumper is implemented as a PowerShell script.<\/p>\n<p>As with the browser dumper tools, it is not uncommon for OilRig to collect credentials from the Windows Credential Manager. Previously, OilRig\u2019s operators were observed using VALUEVAULT, a <a href=\"https:\/\/www.softpedia.com\/get\/Security\/Password-Managers-Generators\/Windows-Vault-Password-Dumper.shtml\">publicly available<\/a><span>,<\/span> Go-compiled credential-theft tool (see the <a href=\"https:\/\/www.mandiant.com\/resources\/blog\/hard-pass-declining-apt34-invite-to-join-their-professional-network\">2019 HardPass campaign<\/a> and a <a href=\"https:\/\/www.intezer.com\/blog\/malware-analysis\/new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset\/\">2020 campaign<\/a>), for the same purpose.<\/p>\n<h2><a><\/a>Conclusion<\/h2>\n<p>OilRig continues to innovate and create new implants with backdoor-like capabilities while finding new ways to execute commands on remote systems. The group improved upon its C#\/.NET Solar backdoor from the Outer Space campaign to create a new backdoor named Mango for the Juicy Mix campaign. The group deploys a set of custom post-compromise tools that are used to collect credentials, cookies, and browsing history from major browsers and from the Windows Credential Manager. Despite these innovations, OilRig also continues to rely on established ways to obtain user data.<\/p>\n<blockquote>\n<p>For any inquiries about our research published on WeLiveSecurity, please contact us at <a href=\"mailto:threatintel@eset.com?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=autotagging&amp;utm_content=eset-research&amp;utm_term=en\">threatintel@eset.com<\/a>.<br \/>ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the <a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes\/\">ESET Threat Intelligence<\/a> page.<\/p>\n<\/blockquote>\n<h2><a><\/a><a><\/a><a><\/a><span><span><span lang=\"FR\">IoCs<\/span><\/span><\/span><\/h2>\n<h3><a><\/a><span lang=\"FR\">Files<\/span><\/h3>\n<p><a><\/a><a><\/a><a><\/a><a><\/a><\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<tbody>\n<tr>\n<td width=\"170\">\n<p><strong>SHA-1<\/strong><\/p>\n<\/td>\n<td width=\"141\">\n<p><strong>Filename<\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><strong>ESET detection name<\/strong><\/p>\n<\/td>\n<td width=\"155\">\n<p><strong>Description<\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\">\n<p><span>3D71D782B95F13EE69E96BCF73EE279A00EAE5DB<\/span><\/p>\n<\/td>\n<td width=\"141\">\n<p><span>MyCV.doc<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p>VBA\/OilRig.C<\/p>\n<\/td>\n<td width=\"155\">\n<p><span>Document with malicious macro dropping Mango.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\">\n<p><span>3699B67BF4E381847BF98528F8CE2B966231F01A<\/span><\/p>\n<\/td>\n<td width=\"141\">\n<p><span>chrome_log.vbs<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p>VBS\/TrojanDropper.Agent.PCC<\/p>\n<\/td>\n<td width=\"155\">\n<p>VBS dropper.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\">\n<p><span>1DE4810A10FA2D73CC589CA403A4390B02C6DA5E<\/span><\/p>\n<\/td>\n<td width=\"141\">\n<p><span>Solar.exe<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p>MSIL\/OilRig.E<\/p>\n<\/td>\n<td width=\"155\">\n<p>Solar backdoor.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\">\n<p><span>CB26EBDE498ECD2D7CBF1BC498E1BCBB2619A96C<\/span><\/p>\n<\/td>\n<td width=\"141\">\n<p><span>Mango.exe<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p>MSIL\/OilRig.E<\/p>\n<\/td>\n<td width=\"155\">\n<p>Mango backdoor (v1.0.0).<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\">\n<p><span>C9D18D01E1EC96BE952A9D7BD78F6BBB4DD2AA2A<\/span><\/p>\n<\/td>\n<td width=\"141\">\n<p><span>Menorah.exe<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p>MSIL\/OilRig.E<\/p>\n<\/td>\n<td width=\"155\">\n<p>Mango backdoor (v1.1.1).<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\">\n<p><span>83419CBA55C898FDBE19DFAFB5B1B207CC443190<\/span><\/p>\n<\/td>\n<td width=\"141\">\n<p><span>EdgeUpdater.exe<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p>MSIL\/PSW.Agent.SXJ<\/p>\n<\/td>\n<td width=\"155\">\n<p>Edge data dumper.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\">\n<p><span>DB01095AFEF88138C9ED3847B5D8AF954ED7BBBC<\/span><\/p>\n<\/td>\n<td width=\"141\">\n<p><span>Gr.exe<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p>MSIL\/PSW.Agent.SXJ<\/p>\n<\/td>\n<td width=\"155\">\n<p>Chrome data dumper.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\">\n<p><span>BE01C95C2B5717F39B550EA20F280D69C0C05894<\/span><\/p>\n<\/td>\n<td width=\"141\">\n<p><span>ieupdater.exe<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p>PowerShell\/PSW.Agent.AH<\/p>\n<\/td>\n<td width=\"155\">\n<p>Windows Credential Manager dumper.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\">\n<p><span>6A1BA65C9FD8CC9DCB0657977DB2B03DACDD8A2A<\/span><\/p>\n<\/td>\n<td width=\"141\">\n<p><span>mkc.exe<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p>Win64\/PSW.Agent.AW<\/p>\n<\/td>\n<td width=\"155\">\n<p>MKG &#8211; Chrome data dumper.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\">\n<p><span>94C08A619AF2B08FEF08B131A7A59D115C8C2F7B<\/span><\/p>\n<\/td>\n<td width=\"141\">\n<p><span>mkkc.exe<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p>Win64\/PSW.Agent.AW<\/p>\n<\/td>\n<td width=\"155\">\n<p>MKG &#8211; Chrome data dumper.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\">\n<p><span>CA53B8EB76811C1940D814AAA8FE875003805F51<\/span><\/p>\n<\/td>\n<td width=\"141\">\n<p><span>cmk.exe<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p>Win64\/PSW.Agent.AW<\/p>\n<\/td>\n<td width=\"155\">\n<p>MKG &#8211; Chrome data dumper.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\">\n<p><span>BE9B6ACA8A175DF61F2C75932E029F19789FD7E3<\/span><\/p>\n<\/td>\n<td width=\"141\">\n<p><span>CCXProcess.exe<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p>MSIL\/OilRig.A<\/p>\n<\/td>\n<td width=\"155\">\n<p>SC5k downloader (32-bit version).<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\">\n<p><span>2236D4DCF68C65A822FF0A2AD48D4DF99761AD07<\/span><\/p>\n<\/td>\n<td width=\"141\">\n<p><span>acrotray.exe<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p>MSIL\/OilRig.D<\/p>\n<\/td>\n<td width=\"155\">\n<p>SC5k downloader (64-bit version).<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\">\n<p><span>EA8C3E9F418DCF92412EB01FCDCDC81FDD591BF1<\/span><\/p>\n<\/td>\n<td width=\"141\">\n<p><span>node.exe<\/span><\/p>\n<\/td>\n<td width=\"155\">\n<p>MSIL\/OilRig.D<\/p>\n<\/td>\n<td width=\"155\">\n<p>SC5k downloader (64-bit version).<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3><span><span><span><span><span lang=\"EN-CA\">Network<\/span><\/span><\/span><\/span><\/span><\/h3>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<tbody>\n<tr>\n<td width=\"139\">\n<p><strong>IP<\/strong><\/p>\n<\/td>\n<td width=\"181\">\n<p><strong>Domain<\/strong><\/p>\n<\/td>\n<td width=\"124\">\n<p><strong>Hosting provider<\/strong><\/p>\n<\/td>\n<td width=\"93\">\n<p><strong>First seen<\/strong><\/p>\n<\/td>\n<td width=\"106\">\n<p><strong>Details<\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"139\">\n<p><span>199.102.48[.]42<\/span><\/p>\n<\/td>\n<td width=\"181\">\n<p><span>tecforsc-001-site1.gtempurl[.]com<\/span><\/p>\n<\/td>\n<td width=\"124\">\n<p>MarquisNet<\/p>\n<\/td>\n<td width=\"93\">\n<p>2022-07-29<\/p>\n<\/td>\n<td width=\"106\">\n<p>N\/A<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2><span><span><span><span><span lang=\"EN-CA\">MITRE ATT&amp;CK techniques<\/span><\/span><\/span><\/span><\/span><\/h2>\n<p>This table was built using <a href=\"https:\/\/attack.mitre.org\/resources\/versions\/\">version 13<\/a> of the MITRE ATT&amp;CK framework.<\/p>\n<p><span><\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<tbody>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Tactic<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">ID<\/span><\/strong><\/p>\n<\/td>\n<td width=\"151\">\n<p><strong><span lang=\"EN-US\">Name<\/span><\/strong><\/p>\n<\/td>\n<td width=\"265\">\n<p><strong><span lang=\"EN-US\">Description<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"4\" width=\"113\">\n<p><strong><span lang=\"EN-US\">Resource Development<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1584\/004\">T1584.004<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Compromise Infrastructure: Server<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">In both Outer Space and Juicy Mix campaigns, OilRig has compromised legitimate websites to stage malicious tools and for C&amp;C communications.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1587\/001\">T1587.001<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Develop Capabilities: Malware<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">OilRig has developed custom backdoors (Solar and Mango), a downloader (SC5k), and a set of credential-theft tools for use in its operations.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1608\/001\">T1608.001<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Stage Capabilities: Upload Malware<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">OilRig has uploaded malicious components to its C&amp;C servers, and stored prestaged files and commands in the <\/span><span><span lang=\"EN-US\">Drafts<\/span><\/span><span lang=\"EN-US\"> email directory of an Office 365 account for SC5k to download and execute.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1608\/002\">T1608.002<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Stage Capabilities: Upload Tool<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">OilRig has uploaded malicious tools to its C&amp;C servers, and stored prestaged files in the <\/span><span><span lang=\"EN-US\">Drafts<\/span><\/span><span lang=\"EN-US\"> email directory of an Office 365 account for SC5k to download and execute.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Initial Access<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1566\/001\">T1566.001<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Phishing: Spearphishing Attachment<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">OilRig probably distributed its Outer Space and Juicy Mix campaigns via phishing emails with their VBS droppers attached.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"5\" width=\"113\">\n<p><strong><span lang=\"EN-US\">Execution<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1053\/005\">T1053.005<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Scheduled Task\/Job: Scheduled Task<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">OilRig\u2019s IDumper, EDumper, and CDumper tools use scheduled tasks named <\/span><span><span lang=\"EN-US\">ie&lt;user&gt;<\/span><\/span><span lang=\"EN-US\">, <\/span><span><span lang=\"EN-US\">ed&lt;user&gt;,<\/span><\/span><span lang=\"EN-US\"> and <\/span><span><span lang=\"EN-US\">cu&lt;user&gt;<\/span><\/span><span lang=\"EN-US\"> to execute themselves under the context of other users.<\/span><\/p>\n<p><span lang=\"EN-US\">Solar and Mango use a C#\/.NET task on a timer to iteratively execute their main functions.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1059\/001\">T1059.001<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Command and Scripting Interpreter: PowerShell<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">OilRig\u2019s IDumper tool uses PowerShell for execution.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1059\/003\">T1059.003<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Command and Scripting Interpreter: Windows Command Shell<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">OilRig\u2019s Solar, SC5k, IDumper, EDumper, and CDumper use <\/span><span><span lang=\"EN-US\">cmd.exe<\/span><\/span><span lang=\"EN-US\"> to execute tasks on the system.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1059\/005\">T1059.005<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Command and Scripting Interpreter: Visual Basic<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">OilRig uses a malicious VBScript to deliver and persist its Solar and Mango backdoors.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1106\">T1106<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Native API<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">OilRig\u2019s Mango backdoor uses the <\/span><span><span lang=\"EN-US\">CreateProcess<\/span><\/span><span lang=\"EN-US\"> Windows API for execution.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Persistence<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1053\/005\">T1053.005<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Scheduled Task\/Job: Scheduled Task<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">OilRig\u2019s VBS dropper schedules a task named <\/span><span><span lang=\"EN-US\">ReminderTask<\/span><\/span><span lang=\"EN-US\"> to establish persistence for the Mango backdoor.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"8\" width=\"113\">\n<p><strong><span lang=\"EN-US\">Defense Evasion<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1036\/005\">T1036.005<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Masquerading: Match Legitimate Name or Location<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">OilRig uses legitimate or innocuous filenames for its malware to disguise itself from defenders and security software.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1027\/002\">T1027.002<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Obfuscated Files or Information: Software Packing<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">OilRig has used <a href=\"https:\/\/www.sapien.com\/blog\/2016\/10\/24\/sapien-script-packager-updates-and-new-features\/\">SAPIEN Script Packager<\/a> and <a href=\"https:\/\/www.red-gate.com\/products\/dotnet-development\/smartassembly\/\">SmartAssembly obfuscator<\/a> to obfuscate its IDumper tool.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1027\/009\">T1027.009<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Obfuscated Files or Information: Embedded Payloads<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">OilRig\u2019s VBS droppers have malicious payloads embedded within them as a series of base64 substrings.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1036\/004\">T1036.004<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Masquerading: Masquerade Task or Service<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">In order to appear legitimate, Mango\u2019s VBS dropper schedules a task with the description <\/span><span><span lang=\"EN-US\">Start notepad at a certain time<\/span><\/span><span lang=\"EN-US\">.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1070\/009\">T1070.009<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Indicator Removal: Clear Persistence<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">OilRig\u2019s post-compromise tools delete their scheduled tasks after a certain time period.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1140\">T1140<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"FR\">Deobfuscate\/Decode Files or Information<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">OilRig uses several obfuscation methods to protect its strings and embedded payloads.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1553\">T1553<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Subvert Trust Controls<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">SC5k uses Office 365, generally a trusted third party and often overlooked by defenders, as a download site.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1562\">T1562<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Impair Defenses<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">OilRig\u2019s Mango backdoor has an (as yet) unused capability to block endpoint security solutions from loading their user-mode code in specific processes.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" width=\"113\">\n<p><strong><span lang=\"EN-US\">Credential Access<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1555\/003\">T1555.003<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Credentials from Password Stores: Credentials from Web Browsers<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">OilRig\u2019s custom tools MKG, CDumper, and EDumper can obtain credentials, cookies, and browsing history from Chrome and Edge browsers.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1555\/004\">T1555.004<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Credentials from Password Stores: Windows Credential Manager<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">OilRig\u2019s custom credential dumping tool IDumper can steal credentials from the Windows Credential Manager.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"5\" width=\"113\">\n<p><strong><span lang=\"EN-US\">Discovery<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1082\">T1082<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">System Information Discovery<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Mango obtains the compromised computer name.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1083\">T1083<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">File and Directory Discovery<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Mango has a command to enumerate the content of a specified directory.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1033\">T1033<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">System Owner\/User Discovery<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Mango obtains the victim\u2019s username.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1087\/001\">T1087.001<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Account Discovery: Local Account<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">OilRig\u2019s EDumper, CDumper, and IDumper tools can enumerate all user accounts on the compromised host.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1217\">T1217<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Browser Information Discovery<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">MKG dumps Chrome history and bookmarks.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"7\" width=\"113\">\n<p><strong><span lang=\"EN-US\">Command and Control<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1071\/001\">T1071.001<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Application Layer Protocol: Web Protocols<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Mango uses HTTP in C&amp;C communications.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1105\">T1105<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Ingress Tool Transfer<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Mango has the capability to download additional files from the C&amp;C server for subsequent execution.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1001\">T1001<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Data Obfuscation<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Solar and SC5k use a simple XOR-encryption method along with gzip compression to obfuscate data at rest and in transit.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1102\/002\">T1102.002<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Web Service: Bidirectional Communication<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">SC5k uses Office 365 for downloading files from and uploading files to the <\/span><span><span lang=\"EN-US\">Drafts<\/span><\/span><span lang=\"EN-US\"> directory in a legitimate email account.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1132\/001\">T1132.001<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Data Encoding: Standard Encoding<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Solar, Mango, and MKG base64 decodes data before sending it to the C&amp;C server.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1573\/001\">T1573.001<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Encrypted Channel: Symmetric Cryptography<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Mango uses an XOR cipher with the key <\/span><span><span lang=\"EN-US\">Q&amp;4g<\/span><\/span><span lang=\"EN-US\"> to encrypt data in C&amp;C communication.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1573\/002\">T1573.002<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Encrypted Channel: Asymmetric Cryptography<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Mango uses TLS for C&amp;C communication.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Exfiltration<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1041\">T1041<\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Exfiltration Over C2 Channel<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Mango, Solar, and SC5k use their C&amp;C channels for exfiltration.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/span>\n<\/p>\n<p><a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes\/\"><img loading=\"lazy\" decoding=\"async\" alt=\"\" height=\"296\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2022\/12\/eset-threat-intelligence.png\" width=\"915\"><\/a><\/p>\n<\/p>\n<p class=\"wls-source\"><a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes\/\" rel=\"nofollow noopener\" target=\"_blank\">Read the full analysis on WeLiveSecurity \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>ESET researchers document OilRig\u2019s Outer Space and Juicy Mix campaigns, targeting Israeli organizations in 2021 and 2022<\/p>\n","protected":false},"author":5,"featured_media":8462,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2878],"tags":[],"class_list":["post-8461","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-eset-research"],"acf":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8461","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/comments?post=8461"}],"version-history":[{"count":0,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8461\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media\/8462"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media?parent=8461"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/categories?post=8461"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/tags?post=8461"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}