Another attack wave directed at Israeli Organizations was reported by Morphisec and Palo Alto Networks on April 27th. OilRig was initially discovered in May 2016, after two attack waves targeting financial institutions and technology organizations in Saudi Arabia were detected. OilRig is attributed to an Iranian APT cyber group, its namesake stemming from the Farsi word "Nafti," (Oily) also hardcoded into a number of analyzed malware samples discovered in 2016.
This attack (April 19 – 24) was executed using compromised email accounts at the Israeli Ben-Gurion University. (Including a Microsoft Word attachment with a former zero-day exploit) After exploitation, a file-less variant of Helminth Trojan agent was installed. Although this campaign was attributed to identical actors as former campaigns, there were several modifications in method of infection, differing in evasive mechanisms and communication protocol.
In this attack, each document exploited the vulnerability through a link embedded in the file, implementing an HTML executable file. (.hta file) While this file is downloading, it’s presented to the user as a notification with a choice to download the file. (When in actuality, the .hta file execution downloads the Helminth malware either way) In the past, this malware was downloaded after a macro from a ClaySlide was executed.
ThreatSTOP IP Firewall Service and DNS Firewall Service protect against OilRig's campaigns, if TSCritical targets are enabled in policies.