On March 15, Unit 42 published a blog providing an overview of DNS tunneling and how malware can use DNS queries and answers to act as a command and control channel. To supplement this blog, we have decided to describe a collection of tools that rely on DNS tunneling used by an adversary known as OilRig.
Unit 42’s continued look into OilRig analyzes the group’s operational tempo, including testing, weaponization and attack delivery.
Unit 42’s continued look into the OilRig threat group uncovers the use of spear-phishing emails to deliver an updated version the BONDUPDATER Trojan.
Sign up to receive the latest news, cyber threat intelligence and research from Unit 42
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.
The OilRig group maintains their persistent attacks against government entities in the Middle East region using previously identified tools and tactics. As observed in previous attack campaigns, the tools used are not an exact duplicate of the previous attack and instead is an iterative variant. In this instance a spear phishing email was used containing
The OilRig group continues to adapt their tactics and bolster their toolset with newly developed tools. Get the full report from Unit 42.
Unit 42 details findings on the OilRig group’s attempted delivery of a new Trojan that we are tracking as OopsIE
Unit 42’s continued look into OilRig reveals the use of an Internet Information Services backdoor deployed on government webservers in the Middle East.
Introducing the adversary playbook by Unit 42. First up, OilRig.
Unit 42 continues to its look into OilRig with analysis on recent TwoFace Webshell testing activities.
Unit 42 observed a new version of the Clayslide delivery document used to install a new custom Trojan whose developer calls “ALMA Communicator”.
OilRig group steps up attacks with new delivery documents and new injector trojan.
Striking oil: a closer look at adversary infrastructure.
New research from Unit 42: OilRig uses ISMDoor variant; possibly linked to Greenbug threat group.
Unit 42 researches the techniques used by attackers to avoid antivirus detection and successfully deliver OilRig campaign attacks.
Since our first published analysis of the OilRig campaign in May 2016 , we have continued to monitor this group for new activity. In recent weeks we’ve discovered that the group have been actively updating their Clayslide delivery documents, as well as the Helminth backdoor used against victims. Additionally, the scope of organizations targeted by
Sign up to receive the latest news, cyber threat intelligence and research from Unit 42
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.