27 Appendix A: Malware Sample Metadata
27 Sample: Symantec- Worst Passwords List 2016.xls
29 Sample: Special Offers.xls
31 Sample: 57ef.xls
33 Sample: test.xls
35 Sample: a30f.xls
35 Sample: 0c64.xls
36 Sample: mainfile.xls
36 Sample: users.xls
37 Sample: ca64.xls
37 Sample: Israel Airline.xls
38 Sample: ccc.xls
38 Sample: TurkishAirlines_Offers.xls
39 Sample: x.xls
39 Sample: password.xls
40 Sample: bd09.xls
40 Sample: users.xls
41 Sample: People List.xls
41 Sample: cv.xls
42 Sample: test123.xls
42 Sample: Sample File.xls
43 Sample: Log.xls
43 Sample: d0fb.eml
44 Sample: cleaner.exe
44 Sample: example_powershell_payloads.txt
46 Appendix B: Consolidated Indicator List
46 Hash Values
47 About LogRhythm
47 About LogRhythm Labs
OILRIG CAMPAIGN ANALYSIS
Executive Summary
About OilRig
The earliest instance where a cyber attack was attributed to the OilRig
campaign was in late 2015. To date, two periods of high activity have been
identified following the initial attack. These were in May and October 2016.
All known samples from these periods used infected Excel files attached to
phishing emails to infect victims. Once infected, the victim machine can be
controlled by the attacker to perform basic remote-access trojan-like tasks
including command execution and file upload and download.
The primary targets have evolved over time, however, they continue to be
focused on critical infrastructure and governmental entities. Early attacks were
focused on Middle Eastern banks and government entities. The latest attacks,
in October 2016, focused on government entities. They now include other
Middle Eastern countries and the U.S. In addition, these latest attacks included
a number of airlines from Middle Eastern countries. It is likely that this attacker
will move to other industries, but history suggests they are most interested in
these espionage activities rather than, for instance, intellectual property theft.
About this Report
The LogRhythm Labs™ Team (Labs Team) designed this report to provide
actionable intelligence regarding threat actors and the tools, techniques, and
procedures (TTPs) they use. Using this information, security operations center
(SOC) analysts can better detect and respond to this specific threat.
The indicators of compromise (IOC) contained within this report can help
detect attacks by this threat actor. Where applicable SOC analysts can import
or create signatures that can be added to different security tools to watch for
activity related to this campaign or those using similar TTPs. This report has
been designated as TLP:WHITE 1 and therefore may be shared publicly. For this
reason, while the TTPs contained within this report were current, the threat
actor will likely take measures to thwart detection.
The mitigation and remediation strategies presented in this report can be
used to respond to network attacks by this threat actor. SOC analysts can use
SmartResponse™ plug-ins to assist in response efforts when an infected host
is detected. Given the malware samples analyzed, remediation is simple and
involves deletion of files and operating system objects. The Labs Team did not
have a large sample of post-infection tools. Therefore, remediation of these
tools is beyond the scope of this report.
1
https://www.us-cert.gov/tlp
PAGE 4
WWW.LOGRHYTHM.COM
Please complete the form to gain access to this content
