EXECUTIVE SUMMARY:
A newly identified campaign attributed to OilRig has been observed leveraging deceptive delivery mechanisms to distribute malicious payloads targeting enterprise and individual users. The operation primarily relies on social engineering and hidden execution chains to bypass traditional security defenses. The attackers aim to compromise systems for data theft, remote control, and long-term persistence, posing significant risks to both organizational infrastructure and sensitive information assets.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A newly identified campaign attributed to OilRig has been observed leveraging deceptive delivery mechanisms to distribute malicious payloads targeting enterprise and individual users. The operation primarily relies on social engineering and hidden execution chains to bypass traditional security defenses. The attackers aim to compromise systems for data theft, remote control, and long-term persistence, posing significant risks to both organizational infrastructure and sensitive information assets.[emaillocker id="1283"]
The attack chain begins with phishing emails delivering malicious Excel macro documents disguised as politically or socially relevant content to entice user interaction. Once enabled, embedded VBA macros extract and decode hidden managed code payloads, which are then compiled on the victim system to generate a loader. This loader retrieves configuration data from GitHub-hosted resources and subsequently resolves Google Drive links hosting seemingly benign images. These images conceal encrypted configuration data using LSB steganography, which is extracted and decrypted using Base64 and XOR operations. The decrypted configuration delivers multiple module URLs responsible for persistence, data theft, command execution, and payload deployment. Execution is heavily memory-resident, reducing disk artifacts, while persistence is achieved via scheduled tasks and legitimate system binaries. Communication with the command-and-control infrastructure is established through the Telegram Bot API, enabling operations such as file upload/download, command execution, DLL loading, and remote program execution. The modular architecture allows dynamic loading of components, increasing operational flexibility and evasion capability.
It highlights the continued advancement of OilRig attack methodology, demonstrating a shift toward highly modular, cloud-assisted, and memory-based intrusion techniques. By abusing trusted platforms such as GitHub, Google Drive, and Telegram, the group effectively blends malicious activity with legitimate traffic, complicating detection and response efforts. The integration of steganography, dynamic compilation, and multi-stage payload delivery underscores a deliberate effort to evade modern security controls and maintain long-term access to targeted environments.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Execution | T1204.002 | User Execution | Malicious File |
| T1059.001 | Command and Scripting Interpreter | PowerShell | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Stealth | T1027.002 | Obfuscated Files or Information | Software Packing |
| T1055.001 | Process Injection | Dynamic-link Library Injection | |
| Discovery | T1082 | System Information Discovery | - |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1573.002 | Encrypted Channel | Asymmetric Cryptography | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/oilrig-hides-c2-configuration/
[/emaillocker]