Outer Space and Juicy Mix: OilRig Campaigns Targeting Israeli Organizations

Diving into details

• The Outer Space campaign utilized the Solar backdoor and the SC5k downloader, while the Juicy Mix campaign featured the Mango backdoor and additional browser-data dumpers and credential stealers.
• The Mango first-stage backdoor is an upgraded version of Solar, also coded in C#/.NET. Mango’s capabilities include data exfiltration, use of native APIs, and code for detection evasion.
• Besides Mango, the researchers found two previously undocumented browser data dumpers. These were used to pilfer cookies, credentials, and browser history from Chrome and Edge browsers. Furthermore, the researchers attributed a Windows Credential Manager to the threat group.

Latest OilRig campaigns

• In May, the group targeted a government official at Jordan's foreign ministry using a malicious email and Excel document.
• The attack utilized a new hacking tool called Saitama, which abuses the DNS protocol for stealthy communication and shows signs of advanced knowledge about the victim's internal infrastructure.
• In February, OilRig developed a new backdoor to bypass security measures and target government organizations in the Middle East.
• The attack began with a .NET-based dropper, responsible for distributing four distinct files. These files were embedded within the main dropper, known as REDCAP, using a Base64 buffer.

The bottom line