Israeli organizations have been targeted by the Iranian nation-state actor known as OilRig in two separate campaigns in 2021 and 2022. The campaigns, named Outer Space and Juicy Mix, utilized two previously documented first-stage backdoors called Solar and Mango. These backdoors were deployed through spear-phishing emails and were used to gather sensitive information from major browsers and the Windows Credential Manager.
OilRig, also known as APT34, Cobalt Gypsy, Hazel Sandstorm, and Helix Kitten, is affiliated with Iran’s Ministry of Intelligence and Security (MOIS) and has been active since 2014. They have employed various tools to carry out information theft. In a recent analysis, ESET security researcher Zuzana Hromcová revealed that Mango malware, previously highlighted by ESET and Microsoft, was used in these campaigns. The group specifically targets Israeli local government agencies and companies in the defense, lodging, and healthcare sectors.
OilRig relies on spear-phishing lures and booby-trapped attachments to distribute the malware. The campaigns involved the use of command-and-control servers, backdoors, downloaders, and data exfiltration tools. OilRig continues to develop new implants with backdoor-like capabilities and finds innovative ways to execute commands on remote systems, according to Hromcová.
