OilRig

Background

OilRig is an Iranian cyber espionage group attributed to Iran's Ministry of Intelligence and Security (MOIS). Active since at least 2014, the group has established itself as one of Iran's most technically sophisticated threat actors, with a particular focus on the energy sector, government organizations, and critical infrastructure across the Middle East. OilRig's operations primarily target countries in the Gulf Cooperation Council (GCC) region, including Saudi Arabia, the UAE, Kuwait, Bahrain, and Qatar, as well as Israel, Jordan, Lebanon, and Turkey.

The group's MOIS affiliation was confirmed following a significant operational security failure in 2019, when a persona known as "Lab Dookhtegan" leaked a substantial portion of OilRig's toolset, operational documentation, and victim data on Telegram. The leak revealed the group's internal organizational structure, naming conventions, and operational playbooks. Despite this exposure, OilRig continued operations with minimal disruption, rapidly developing replacement tooling and demonstrating the depth of their development capability and institutional resilience.

OilRig is distinguished from other Iranian threat actors by its heavy reliance on DNS-based communication channels for command and control and data exfiltration. The group has developed multiple custom tools that use DNS tunneling, DNS over HTTPS (DoH), and DNS TXT records to maintain covert communications with compromised systems. This emphasis on DNS-based techniques reflects a sophisticated understanding of enterprise network monitoring gaps, as DNS traffic is frequently less scrutinized than HTTP/HTTPS traffic. OilRig also demonstrates strong post-exploitation capabilities, conducting methodical network enumeration, lateral movement, and long-term persistent access to target environments.

Notable Campaigns

Middle East Government Targeting (2016-2017)

OilRig conducted a series of campaigns against government organizations in Saudi Arabia, Qatar, Kuwait, Turkey, and Israel using the Helminth and ISMAgent backdoors. The group targeted government ministries, foreign affairs departments, and financial regulatory bodies. Attack chains typically began with spear-phishing emails containing malicious macro-enabled documents themed as resumes, government forms, or industry reports. These campaigns established OilRig as a primary cyber threat to Gulf state governments.

DNSpionage Campaign (2018-2019)

OilRig was linked to the DNSpionage operation, which targeted government and private sector organizations across the Middle East. The campaign leveraged DNS hijacking to redirect traffic from legitimate government and corporate domains through attacker-controlled servers, enabling credential harvesting at scale. Targets included government email systems, VPN portals, and corporate intranets in Lebanon, the UAE, and other Middle Eastern countries. The DNS manipulation occurred at the registrar level, demonstrating the group's ability to compromise domain infrastructure.

Lab Dookhtegan Tool Leak (April 2019)

A persona operating under the name "Lab Dookhtegan" leaked OilRig's tools, operational data, and victim information on Telegram over several weeks. The leaked materials included source code for tools like Glimpse, PoisonFrog, HyperShell, and Fox Panel, along with IP addresses of C2 servers and data from compromised organizations. The leak was believed to be either a disgruntled insider or a rival intelligence agency operation. OilRig responded by developing entirely new tooling, including SideTwist, Saitama, and later Solar/Mango.

Karkoff and Saitama Campaigns (2020-2022)

Following the 2019 tool leak, OilRig deployed new backdoor families in operations against government organizations in Jordan, Lebanon, and other Middle Eastern countries. The Saitama backdoor, discovered in 2022 targeting a Jordanian government ministry, communicated entirely through DNS protocols using a finite state machine for flow control, representing a technically sophisticated evolution of OilRig's DNS-based C2 approach. The Karkoff backdoor targeted Exchange servers and used legitimate email channels for C2.

Solar, Mango, and OilBooster Operations (2023-2024)

ESET and other researchers documented OilRig deploying new custom tools—Solar (a downloader), Mango (a backdoor), and OilBooster (a C2 tool using Microsoft Graph API)—against Israeli organizations. The campaigns exploited vulnerabilities in public-facing web servers for initial access and demonstrated OilRig's continued investment in custom tool development. The group showed an increasing tendency to abuse cloud services, with OilBooster leveraging Microsoft OneDrive for C2 communications, and MrPerfectionManager using Exchange Web Services for command distribution.

Tactics, Techniques & Procedures

Initial Access: OilRig primarily uses spear-phishing emails (T1566.001) with weaponized documents for initial access. The group crafts industry-specific lures targeting energy, government, and financial sector employees, often using job-themed, invoice-themed, or government-themed documents containing malicious macros or embedded objects. In more recent campaigns, OilRig has shifted to exploiting vulnerabilities in internet-facing web servers and deploying webshells for initial access, reducing reliance on phishing. The group has also conducted credential-based access using stolen VPN and email credentials obtained from previous compromises.

Execution and Discovery: After gaining initial access, OilRig conducts thorough network reconnaissance using a combination of native Windows tools and custom scripts. The group enumerates domain users (T1087), network shares (T1135), trust relationships, and network topology. Custom PowerShell and VBScript tools automate the collection of system information, installed software, and running processes. This methodical reconnaissance phase often precedes deployment of more capable backdoors.

Command and Control: OilRig's hallmark is DNS-based C2 communication. The group has developed multiple tools that encode commands and data within DNS queries and responses, using A records, TXT records, MX records, and AAAA records. DNS tunneling (T1071.004) is favored because DNS traffic is often allowed through firewalls and less monitored than web traffic. More recently, the group has adopted cloud-based C2 using Microsoft Graph API, Exchange Web Services, and OneDrive, reflecting an evolution toward abusing trusted cloud services.

Data Exfiltration: OilRig exfiltrates data primarily through DNS channels (T1048.003), encoding stolen files and credentials within DNS queries sent to attacker-controlled authoritative name servers. The group also uses HTTP/HTTPS exfiltration and has been observed staging data in compressed, encrypted archives before exfiltration. Credential harvesting from memory (T1003) using tools like Mimikatz variants is a consistent post-exploitation activity, enabling lateral movement and persistent access.

Lateral Movement: The group uses SMB (T1021.002) and RDP for lateral movement, leveraging credentials obtained through credential dumping and keylogging. OilRig deploys webshells on internal web servers to create pivot points within target networks. The group demonstrates patience in lateral movement operations, sometimes waiting weeks between initial compromise and deeper network penetration.

Tools & Malware

• Saitama: A backdoor written in .NET that communicates exclusively via DNS, using a finite state machine to manage command flow. Each DNS query encodes a small piece of data, making traffic appear as normal DNS resolution. Named after the anime character, it targets government organizations.
• SideTwist: A C-based backdoor developed after the 2019 tool leak, supporting command execution, file upload/download, and system reconnaissance. Uses HTTP for C2 with custom encoding.
• Solar: A downloader component used in multi-stage attacks, responsible for downloading and executing additional payloads from C2 infrastructure. Implements anti-analysis checks before execution.
• Mango: A backdoor deployed alongside Solar, providing persistent access with capabilities for command execution, file operations, and data exfiltration. Uses a custom communication protocol.
• OilBooster: A tool that abuses Microsoft Graph API and OneDrive for C2 communication, storing commands and exfiltrated data in cloud storage. Represents OilRig's shift toward cloud-based infrastructure abuse.
• MrPerfectionManager: A backdoor that leverages Exchange Web Services (EWS) for C2, hiding commands within email draft messages in compromised mailboxes.
• Karkoff: A backdoor targeting Exchange servers, using email-based C2 where commands are received via specially crafted emails and responses are sent back through the same channel.
• VALUEVAULT: A credential harvesting tool that targets browser-stored passwords, implemented as a compiled AutoIT script that extracts credentials from Firefox and Chrome.
• LONGWATCH: A keylogger that records keystrokes to a log file for later collection, used in conjunction with other tools for comprehensive credential harvesting.
• DNSExfiltrator: A custom tool designed specifically for data exfiltration over DNS channels, supporting multiple encoding schemes and DNS record types to maximize throughput while evading detection.
• CatB: A custom webshell deployed on compromised IIS and Apache servers, providing file management, command execution, and network tunneling capabilities as a persistent foothold.

Indicators & Detection

DNS Monitoring:

• Implement comprehensive DNS logging and analysis. OilRig's primary C2 mechanism—DNS tunneling—can be detected by monitoring for anomalous DNS query patterns, including high query volumes to single domains, unusually long subdomain labels, queries for uncommon record types (TXT, MX, AAAA) to non-standard domains, and high entropy in query strings.
• Monitor for DNS queries with base32 or base64-encoded subdomain components, which are characteristic of DNS tunneling tools.
• Watch for DNS over HTTPS (DoH) connections to non-standard resolvers, which may indicate attempts to bypass DNS monitoring.

Email and Web Server Security:

• Harden Exchange servers and monitor for webshell deployment. OilRig frequently targets Exchange and IIS servers for both initial access and as C2 relay points.
• Monitor for email drafts or messages being created and deleted rapidly, which may indicate Exchange-based C2 (MrPerfectionManager, Karkoff).
• Implement web application firewalls and monitor for common webshell indicators on internet-facing web servers.

Host-Based Detection:

• Monitor for PowerShell and VBScript execution that performs DNS queries programmatically, particularly scripts that construct DNS queries with encoded data.
• Watch for credential dumping indicators, including access to LSASS, SAM, and NTDS.dit files.
• Detect VALUEVAULT by monitoring for processes that access browser credential stores outside of the browser application itself.
• Alert on scheduled task creation (T1053.005) with scripts that perform network communication, particularly DNS queries.

Cloud Service Monitoring:

• Monitor Microsoft Graph API and Exchange Web Services usage for unusual patterns, particularly automated access from non-standard applications or service accounts.
• Watch for OneDrive and SharePoint access patterns that suggest command-and-control usage, such as frequent small file creation and deletion.

Energy and Critical Infrastructure Sectors:

• Organizations in the energy, oil and gas, and utilities sectors should treat OilRig as a persistent and capable threat. Implement network segmentation between IT and OT environments.
• Conduct regular assessments of DNS security posture, including review of DNS logging capabilities, monitoring coverage, and detection rules for tunneling activity.