OilRig

APT / StateG0049
OriginIrã
Techniques (MITRE ATT&CK)76
SourceMITRE ATT&CK
Also known as:COBALT GYPSYIRN2APT34Helix KittenEvasive SerpensHazel SandstormEUROPIUMITG13Earth SimnavazCrambusTA452

Vexday analysis

OilRig (também referenciado como APT34, COBALT GYPSY, Helix Kitten, Evasive Serpens e Hazel Sandstorm) é um grupo de ameaça persistente avançada de origem iraniana, ativo pelo menos desde 2014, que tem como alvos vítimas no Oriente Médio e em outros países. O grupo atua contra setores variados, incluindo financeiro, governamental, energético, químico e de telecomunicações, e conduz ataques à cadeia de suprimentos para atingir seus alvos primários por meio de relações de confiança entre organizações. Acredita-se que opere em nome do governo iraniano, conclusão baseada em detalhes de infraestrutura com referências ao Irã e em padrões de alvejamento alinhados a interesses de Estado. O MITRE ATT&CK (G0049) documenta 76 técnicas associadas ao grupo, que tem ainda 3 CVEs atribuídas como exploradas em suas operações.

Techniques (MITRE ATT&CK) 76

How the group operates, mapped to the MITRE ATT&CK matrix and organized by the phases of an attack.

Resource development
DomainsEmail AccountsMalwareToolCode Signing CertificatesUpload Malware
Initial access
Supply Chain CompromiseSpearphishing AttachmentSpearphishing LinkSpearphishing via Service
Execution
Windows Management InstrumentationScheduled TaskCommand and Scripting InterpreterPowerShellWindows Command ShellVisual BasicExploitation for Client ExecutionMalicious LinkMalicious File
Persistence
External Remote ServicesOutlook Home PageWeb ShellWindows Service
Privilege escalation
Exploitation for Privilege Escalation
Credential access
LSASS MemoryLSA SecretsCached Domain CredentialsBrute ForceCredentials In FilesCredentials from Password StoresCredentials from Web BrowsersWindows Credential Manager
Discovery
System Service DiscoveryQuery RegistrySystem Network Configuration DiscoverySystem Owner/User DiscoveryNetwork Service DiscoverySystem Network Connections DiscoveryProcess DiscoveryLocal GroupsDomain GroupsSystem Information DiscoveryLocal AccountDomain AccountPeripheral Device DiscoveryPassword Policy Discovery
Lateral movement
Remote Desktop ProtocolSSH
Collection
Data from Local SystemData from Removable MediaKeyloggingScreen CaptureClipboard DataAutomated Collection
Command and control
Fallback ChannelsWeb ProtocolsDNSIngress Tool TransferRemote Access ToolsProtocol TunnelingAsymmetric Cryptography
Exfiltration
Exfiltration Over Unencrypted Non-C2 Protocol
defense-impairment
Modify RegistryCode SigningPassword Filter DLLWindows Host Firewall
stealth
Indicator Removal from ToolsEncrypted/Encoded FileMasqueradingMatch Legitimate Resource Name or LocationFile DeletionValid AccountsDomain AccountsDeobfuscate/Decode Files or InformationCompiled HTML FileSystem Checks

Exploited vulnerabilities 3

CVEs this group is known to exploit, per MITRE ATT&CK. Ordered by real-world severity.

CVE-2024-30088HIGHEPSS 68%KEVCVE-2017-11774HIGHEPSS 60%KEVCVE-2017-8625EPSS 15%

OilRig uses real techniques and exploits real flaws. TrueHacking's AI Autonomous Pentest simulates these attacks against your infrastructure and brings more security to your application.

Explore the AI Autonomous Pentest →