OilRig APT Back in Business With New Backdoor

An array of cyber attacks on a Middle Eastern telecom company has indicated the return of the OilRig APT.

What’s happening?

The RDAT tool utilizes email as a Command and Control (C&C) channel, with attachments that conceal commands and data inside bitmap images through the use of steganography. The backdoor made its debut as a proprietary OilRig weapon three years back and has seen quite a lot of improvements throughout the years. 

Latest attacks involving steganography

  • An email spam campaign was uncovered in the month of June that was spreading a new strain of the IcedID trojan. It exhibited various sophistication layers, such as steganography, HTTPs, and MSI.
  • In May, a targeted barrage of attacks on ICS suppliers was conducted through phishing and steganography.  
  • Earlier this year, threat actors adopted steganography-based credit card skimmer to steal payment card details. 

What’s different about this attack?

  • Unlike previous RDAT samples, this one uses only DNS tunneling for its C&C communications without any HTTP fallback channel.
  • Two email addresses are used by the RDAT payload to receive and send emails to facilitate C&C communications
  • The method of data exfiltration is also the same as that used for hiding its C&C commands. 

The bottom line

The OilRig APT has been using the unique RDAT backdoor since 2017 to attack organizations based in the Middle East. The use of a novel C&C channel, along with steganography, demonstrates that over time, the threat actors have put continual efforts into the development and evolution of their tactics and techniques.