An array of cyber attacks on a Middle Eastern telecom company has indicated the return of the OilRig APT.
The RDAT tool utilizes email as a Command and Control (C&C) channel, with attachments that conceal commands and data inside bitmap images through the use of steganography. The backdoor made its debut as a proprietary OilRig weapon three years back and has seen quite a lot of improvements throughout the years.
Latest attacks involving steganography
- An email spam campaign was uncovered in the month of June that was spreading a new strain of the IcedID trojan. It exhibited various sophistication layers, such as steganography, HTTPs, and MSI.
- In May, a targeted barrage of attacks on ICS suppliers was conducted through phishing and steganography.
- Earlier this year, threat actors adopted steganography-based credit card skimmer to steal payment card details.
What’s different about this attack?
- Unlike previous RDAT samples, this one uses only DNS tunneling for its C&C communications without any HTTP fallback channel.
- Two email addresses are used by the RDAT payload to receive and send emails to facilitate C&C communications.
- The method of data exfiltration is also the same as that used for hiding its C&C commands.
The bottom line
The OilRig APT has been using the unique RDAT backdoor since 2017 to attack organizations based in the Middle East. The use of a novel C&C channel, along with steganography, demonstrates that over time, the threat actors have put continual efforts into the development and evolution of their tactics and techniques.