Rewterz Threat Alert – Recent OilRig Activity – IoCs

Severity

Medium

Analysis Summary

OilRig or APT34 (or HelixKitten) has been associated with global cyber attacks on about a hundred organizations in 27 countries. Recently, researchers discovered about 12,765 credentials that were stolen by this APT group.

The group uses a number of malicious backdoors, webshells and DNS hijacking toolkits mainly poisonfrog (bondupdater), hypershell, highshell, minion and glimpse.

Impact

• Credential Theft
• DNS Hijacking

Indicators of Compromise

URLs

• hxxp[:]//office365-management[.]com/updatejuly/template[.]rtf
• msoffice-cdn[.]com
• myleftheart[.]com
• ns1[.]msoffice-cdn[.]com
• ns1[.]office365-management[.]com
• ns2[.]msoffice-cdn[.]com
• ns2[.]office365-management[.]com
• office365-management[.]com
• www[.]msoffice-cdn[.]com
• www[.]office365-management[.]com

Malware Hash (MD5/SHA1/SH256)

• 27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed
• fe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392
• fe9cdef3c88f83b74512ec6400b7231d7295bda78079b116627c4bc9b7a373e0
• 22c4023c8daa57434ef79b838e601d9d72833fec363340536396fe7d08ee2017
• dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229
• c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e
• a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e
• 2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459
• 775442f10bd7c7df58e549d6682b990d47017f077fe37eb271b4477bb3f8d7dd

Remediation

Block the threat indicators at their respective controls.