• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Chinese APT group targets India and Hong Kong
July 23, 2020
Rewterz Threat Alert – Lazarus Hackers Steal Data Using MATA Malware
July 23, 2020

Rewterz Threat Alert – OilRig Targets Middle Eastern Telecommunications Organization

July 23, 2020

Severity

High

Analysis Summary

An observed activity involving the potential breach of a telecommunications organization in the Middle East. The files associated with this activity included custom Mimikatz samples for dumping credentials, a sample of the Bitvise client believed was used to create SSH tunnels, and a custom backdoor called RDAT. Given the combination of the use of RDAT in OilRig-related webshells, code similarities and tactical similarities, is it established that RDAT is a tool deployed by OilRig in the breach.

Two of the related tools collected had PDB paths similar to one seen in the past. The PDB paths were C:\Users\Void\Desktop\dns\client\x64\Release\client.pdb and C:\Users\Void\Desktop\RDAT\client\x64\Release\client.pdb, the latter of which is the basis of the tool name. Using the file path of the user in the PDB string of C:\Users\Void\Desktop, gathered over a dozen samples with that file path, with most of the samples identified as a known OilRig tool called ISMDOOR. Considering the small cluster of related tools, it is highly likely these have been developed by a single adversary or adversary group with control over the codebase.

Pivots from PDB strings

PowerShell downloaders attempting to retrieve files from the domain digi.shanx[.]icu.

PowerShell and infrastructure overlaps

once the adversary gained interactive access to target hosts, they were observed executing PowerShell commands to perform post-exploitation activities. In one instance, a Powershell script was executed to retrieve RDAT from the C2 apps.vvvnews[.]com, save it to C:\Programdata\Nt.dat, and move it to C:\Programdata\Vmware\VMware.exe

The adversaries compiled the RDAT payloads used in the attacks on the Middle Eastern telecommunications organization on March 1, 2020, and configured it to use a domain provided on the command line or the hardcoded domain rsshay[.]com as its C2 server. Unlike previous RDAT samples, this particular sample only uses DNS tunneling for its C2 communications with no HTTP fallback channel. This RDAT sample can only use TXT queries in its DNS tunnel and will issue queries structured like the following:

<encoded data>.<encoding method, 0 for base64 or 1 for base32><encryption key>.<C2 domain>

Impact

Gain access

Indicators of Compromise

Domain Name

  • rdmsi[.]com
  • rsshay[.]com
  • sharjatv[.]com
  • wwmal[.]com
  • allsecpackupdater[.]com
  • tacsent[.]com
  • acrlee[.]com
  • kopilkaorukov[.]com

SHA-256

  • 4ea6da6b35c4cdc6043c3b93bd6b61ea225fd5e1ec072330cb746104d0b0a4ec
  • e53cc5e62ba15e43877ca2fc1bee16061b4468545d5cc1515cb38000e22dd060
  • 476b40796be68a5ee349677274e438aeda3817f99ba9832172d81a2c64b0d4ae
  • 78584dadde1489a5dca0e307318b3d2d49e39eb3987de52e288f9882527078d5
  • 7395a3ada245df6c8ff1d66fcb54b96ae12961d5fd9b6a57c43a3e7ab83f3cc2
  • 8f943bc5b20517fea08b2d0acc9afe8990703e9d4f7015b98489703ca51da7eb
  • 8120849fbe85179a16882dd1a12a09fdd3ff97e30c3dfe52b43dd2ba7ed33c2a
  • bcdb63b3520e34992f292bf9a38498f49a9ca045b7b40caab5302c76ca10f035
  • f42c2b40574dc837b33c1012f7b6f41fcccc5ebf740a2b0af64e2c530418e9e0
  • fcabb86331cd5e2fa9edb53c4282dfcb16cc3d2cae85aabf1ee3c0c0007e508c
  • 7b5042d3f0e9f077ef2b1a55b5fffab9f07cc856622bf79d56fc752e4dc04b28
  • ee32bde60d1175709fde6869daf9c63cd3227155e37f06d45a27a2f45818a3dc
  • de3f1cc2d4aac54fbdebd5bd05c9df59b938eb79bda427ae26dedef4309c55a9
  • 4ea6da6b35c4cdc6043c3b93bd6b61ea225fd5e1ec072330cb746104d0b0a4ec
  • acb50b02ab0ca846025e7ad6c795a80dc6f61c4426704d0f1dd7e195143f5323
  • 55282007716b2b987a84a790eb1c9867e23ed8b5b89ef1a836cbedaf32982358
  • ba380e589261781898b1a54c2889f3360db09c61b9155607d7b4d11fcd85bd9d
  • 6322cacf839b9c863f09c8ad9fd0e091501c9ba354730ab4809bb4c076610006

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.