Rewterz Threat Alert – APT34 (OilRig) Fresh Campaign – IoCs

Severity

High

Analysis Summary

A campaign has been uncovered that looks like the work of Iran-based APT group Helix Kitten, aka OilRig and APT34. Initial analysis of likely OilRig-related observables revealed a phishing campaign targeting the Russian nuclear industry with Chinese language characteristics, as well as several other manufacturing and technology companies. While much remains unknown about this newly identified campaign. A login page used in the campaign appears to be a straightforward credential harvester, submitting credentials entered into the form fields as a POST to the same hosting domain. The domain itself appears to be either an abandoned or compromised legitimate website associated with a local fire department in the United States. Based on these links, DomainTools assesses some possibility for phishing themes combining Russian nuclear organizations with Chinese construction and critical infrastructure entities against individuals working on such projects.

Recently, in July, OilRig has targeted Middle Eastern organizations as well. Moreover, this APT group targets a vast range of geography. One of its earlier campaigns include targeting 100 organizations across 27 countries. 

Impact

• Credential Theft
• Unauthorized Access
• Information Theft

Indicators of Compromise

Domain Name

• stagmein[.]pl
• mngtboard[.]com
• lavalingroup[.]com
• groupsexecutive[.]com
• cornerstoneconect[.]com
• boardsexecutives[.]com
• boardexecutivemanagement[.]com
• anhuisiafu[.]com
• zj-tunq[.]com
• wiqzi[.]com
• wilsonconts[.]com
• virtualcaresadvisor[.]com
• virtual-slots[.]com
• us-customs[.]org
• svn-stone[.]com
• superrnax[.]com
• renrenbaowang[.]net
• renrenbaowang[.]com
• petrochinas[.]com
• pet188[.]biz
• oculus-au[.]info
• klwebsrv[.]com
• kent-lawfirm[.]net
• jlrootfile[.]com
• jinkangpu[.]co
• jiabolianjie0[.]com
• indeptheva[.]com
• huopay[.]top
• hscminkjet[.]com
• hoganlouells[.]com
• exmngt[.]com
• connect-roofing[.]com
• clearinghouseinternational[.]com
• chinaconstructioncorp[.]com
• cererock[.]com
• careers-ntiva[.]com
• berqertextiles[.]com
• bargertextiles[.]com
• amazon-loveyou[.]com
• alcirineos[.]com
• ababab[.]biz

From Email

• cjay006@yandex[.]com
• chr1styjoe@yandex[.]com
• diandianlai@yandex[.]com
• lovelead247@yandex[.]com

Source IP

• 77[.]55[.]219[.]100
• 69[.]64[.]147[.]39
• 193[.]239[.]84[.]207
• 158[.]247[.]204[.]149
• 156[.]253[.]10[.]173
• 141[.]136[.]36[.]251
• 108[.]62[.]118[.]233
• 103[.]19[.]1[.]142

URL

• http[:]//iafflocal290[.]org/sapm/Poland/china[.]php

Remediation

• Block the threat indicators at their respective controls.
• Do not download attachments or click on links given in untrusted emails.
• Use multi-factor authentication where possible.