ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > OilRig, APT 34, Helix Kitten, Chrysene

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: OilRig, APT 34, Helix Kitten, Chrysene

NamesOilRig (Palo Alto)
APT 34 (FireEye)
Helix Kitten (CrowdStrike)
Twisted Kitten (CrowdStrike)
Crambus (Symantec)
Chrysene (Dragos)
TA452 (Proofpoint)
IRN2 (Area 1)
ATK 40 (Thales)
ITG13 (IBM)
CountryIran Iran
SponsorState-sponsored
MotivationInformation theft and espionage
First seen2014
DescriptionOilRig is a threat group with suspected Iranian origins that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. This group was previously tracked under two distinct groups, APT 34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.

OilRig has 1 subgroup:
1. Subgroup: Greenbug, Volatile Kitten

OilRig seems to be closely related to APT 33, Elfin, Magnallium since at least 2017 and perhaps DNSpionage.
ObservedSectors: Aviation, Chemical, Education, Energy, Financial, Government, High-Tech, Hospitality, Oil and gas, Telecommunications.
Countries: Azerbaijan, Iraq, Israel, Kuwait, Lebanon, Mauritius, Pakistan, Qatar, Saudi Arabia, Turkey, UAE, UK, USA.
Tools usedAlma Communicator, BONDUPDATER, certutil, Clayslide, DistTrack, DNSExfitrator, DNSpionage, Dustman, Fox Panel, GoogleDrive RAT, Helminth, ISMAgent, ISMDoor, ISMInjector, Jason, Karkoff, LaZagne, LONGWATCH, Mimikatz, Nautilus, Neuron, OilRig, OopsIE, PICKPOCKET, POWBAT, POWRUNER, PsList, QUADAGENT, RDAT, RGDoor, SpyNote RAT, StoneDrill, ThreeDollars, TONEDEAF, TONEDEAF 2.0, TwoFace, VALUEVAULT, Webmask, ZeroCleare, Living off the Land.
Operations performedAug 2012Shamoon Attacks
W32.Disttrack is a new threat that is being used in specific targeted attacks against at least one organization in the energy sector. It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable.
Target: Saudi Aramco and Rasgas.
<https://www.symantec.com/connect/blogs/shamoon-attacks>
May 2016Targeted Attacks against Banks in the Middle East
In the first week of May 2016, FireEye’s DTI identified a wave of emails containing malicious attachments being sent to multiple banks in the Middle East region. The threat actors appear to be performing initial reconnaissance against would-be targets, and the attacks caught our attention since they were using unique scripts not commonly seen in crimeware campaigns.
<https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html>
<https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/>
Jun 2016We have identified two separate testing efforts carried out by the OilRig actors, one occurring in June and one in November of 2016. The sample set associated with each of these testing activities is rather small, but the changes made to each of the files give us a chance to understand what modifications the actor performs in an attempt to evade detection. This testing activity also suggests that the threat group responsible for the OilRig attack campaign have an organized, professional operations model that includes a testing component to the development of their tools.
<https://unit42.paloaltonetworks.com/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/>
Oct 2016In recent weeks we’ve discovered that the group have been actively updating their Clayslide delivery documents, as well as the Helminth backdoor used against victims. Additionally, the scope of organizations targeted by this group has expanded to not only include organizations within Saudi Arabia, but also a company in Qatar and government organizations in Turkey, Israel and the United States.
<https://unit42.paloaltonetworks.com/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/>
Nov 2016Shamoon v2
The malware used in the recent attacks (W32.Disttrack.B) is largely unchanged from the variant used four years ago. In the 2012 attacks, infected computers had their master boot records wiped and replaced with an image of a burning US flag. The latest attacks instead used a photo of the body of Alan Kurdi, the three year-old Syrian refugee who drowned in the Mediterranean last year.
<https://www.symantec.com/connect/blogs/shamoon-back-dead-and-destructive-ever>
<https://unit42.paloaltonetworks.com/unit42-shamoon-2-return-disttrack-wiper/>
<https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/>
Jan 2017Delivers Digitally Signed Malware, Impersonates University of Oxford
In recent attacks they set up a fake VPN Web Portal and targeted at least five Israeli IT vendors, several financial institutes, and the Israeli Post Office.
Later, the attackers set up two fake websites pretending to be a University of Oxford conference sign-up page and a job application website. In these websites they hosted malware that was digitally signed with a valid, likely stolen code signing certificate.
<https://www.clearskysec.com/oilrig/>
Jun 2017In July 2017, we observed the OilRig group using a tool they developed called ISMAgent in a new set of targeted attacks. The OilRig group developed ISMAgent as a variant of the ISMDoor Trojan. In August 2017, we found this threat group has developed yet another Trojan that they call ‘Agent Injector’ with the specific purpose of installing the ISMAgent backdoor. We are tracking this tool as ISMInjector.
<https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/>
Jul 2017The web server logs on the system we examined that was compromised with the TwoFace shell gave us a glimpse into the commands the actor executed through their malware. These commands also enabled us to create a profile of the actor, specifically their intentions and the tools and techniques used to carry out their operation.
<https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/>
Sep 2017While expanding our research into the TwoFace webshell from this past July, we were able to uncover several IP addresses that logged in and directly interfaced with the shell we discovered and wrote about. Investigating deeper into these potential adversary Ips revealed a much larger infrastructure used to execute the attacks.
<https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/>
Nov 2017New Targeted Attack in the Middle East
In this latest campaign, APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER.
<https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html>
Jan 2018On January 8, 2018, Unit 42 observed the OilRig threat group carry out an attack on an insurance agency based in the Middle East. Just over a week later, on January 16, 2018, we observed an attack on a Middle Eastern financial institution. In both attacks, the OilRig group attempted to deliver a new Trojan that we are tracking as OopsIE.
The January 8 attack used a variant of the ThreeDollars delivery document, which we identified as part of the OilRig toolset based on attacks that occurred in August 2017.
<https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/>
Jan 2018While investigating files uploaded to a TwoFace webshell, Unit 42 discovered actors installing an Internet Information Services (IIS) backdoor that we call RGDoor. Our data suggests that actors have deployed the RGDoor backdoor on webservers belonging to eight Middle Eastern government organizations, as well as one financial and one educational institution.
<https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/>
May 2018Technology Service Provider and Government Agency
Between May and June 2018, Unit 42 observed multiple attacks by the OilRig group appearing to originate from a government agency in the Middle East. Based on previously observed tactics, it is highly likely the OilRig group leveraged credential harvesting and compromised accounts to use the government agency as a launching platform for their true attacks.
<https://unit42.paloaltonetworks.com/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/>
Dec 2018Shamoon v3
After a two-year absence, the destructive malware Shamoon (W32.Disttrack.B) re-emerged on December 10 in a new wave of attacks against targets in the Middle East. These latest Shamoon attacks are doubly destructive, since they involve a new wiper (Trojan.Filerase) that deletes files from infected computers before the Shamoon malware wipes the master boot record.
<https://www.symantec.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail>
<https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/>
Jun 2019[W]e identified three new malware families and a reappearance of PICKPOCKET, malware exclusively observed in use by APT34. The new malware families, which we will examine later in this post, show APT34 relying on their PowerShell development capabilities, as well as trying their hand at Golang.
<https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html>
Dec 2019New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East
<https://securityintelligence.com/posts/new-destructive-wiper-zerocleare-targets-energy-sector-in-the-middle-east/>
Jan 2020Our researchers Paul Litvak and Michael Kajilolti have discovered a new campaign conducted by APT34 employing an updated toolset. Based on uncovered phishing documents, we believe this Iranian actor is targeting Westat employees, or United States organizations hiring Westat services.
<https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/>
Mar 2020Karkoff 2020: a new APT34 espionage operation involves Lebanon Government
<https://blog.yoroi.company/research/karkoff-2020-a-new-apt34-espionage-operation-involves-lebanon-government/>
Apr 2020While analyzing an attack against a Middle Eastern telecommunications organization, we discovered a variant of an OilRig-associated tool we call RDAT using a novel email-based command and control (C2) channel that relied on a technique known as steganography to hide commands and data within bitmap images attached to emails.
<https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/>
Counter operationsMar 2019In an incident reminiscent of the Shadow Brokers leak that exposed the NSA’s hacking tools, someone has now published similar hacking tools belonging to one of Iran’s elite cyber-espionage units, known as APT34, Oilrig, or HelixKitten.
<https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/>
Update: this leak may have been the work of the CIA.
Jun 2019A new hacking tool believed to have been in the arsenal of Iranian state hackers has been published today online, in a Telegram channel.
This new tool is named Jason and was published online earlier today in the same Telegram channel where the leaker – going by the name of Lab Dookhtegan – dumped the six other previous hacking tools.
<https://www.zdnet.com/article/new-iranian-hacking-tool-leaked-on-telegram/>
Update: this leak may have been the work of the CIA.
Information<https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/>
<https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/>
<https://marcoramilli.com/2019/08/07/oilrig-the-techniques-evolution-over-time/>
<https://en.wikipedia.org/wiki/Helix_Kitten>
MITRE ATT&CK<https://attack.mitre.org/groups/G0049/>

Last change to this card: 30 July 2020

Download this actor card in PDF or JSON format

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key