One sentence summary – Israeli organizations have been targeted by the Iranian nation-state actor known as OilRig in two separate campaigns, using backdoors called Solar and Mango to collect sensitive information through spear-phishing emails and compromising websites, highlighting the ongoing activities and evolving tactics of the group.
At a glance
- Israeli organizations targeted by OilRig in 2021 and 2022
- Campaigns named Outer Space and Juicy Mix
- Backdoors called Solar and Mango used to collect sensitive information
- Backdoors deployed through VBS droppers likely spread via spear-phishing emails
- OilRig affiliated with Iran’s Ministry of Intelligence and Security (MOIS)
The details
Israeli organizations were targeted in two separate campaigns by the Iranian nation-state actor known as OilRig in 2021 and 2022.
These campaigns, named Outer Space and Juicy Mix, utilized backdoors called Solar and Mango.
These backdoors were used to collect sensitive information from major browsers and the Windows Credential Manager.
The backdoors were deployed through VBS droppers, which were likely spread via spear-phishing emails.
OilRig, also known as APT34, Cobalt Gypsy, Hazel Sandstorm, and Helix Kitten, is affiliated with Iran’s Ministry of Intelligence and Security (MOIS).
The group has been active since 2014.
OilRig has used various tools to carry out information theft and has demonstrated flexibility in creating new malware.
The group has previously used SideTwist in a phishing attack targeting U.S. businesses.
Mango malware, associated with an activity cluster called Storm-0133, was identified by ESET and Microsoft in May 2023.
This malware exclusively targets Israeli local government agencies and companies in defense, lodging, and healthcare sectors.
OilRig continues to focus on Israel and uses spear-phishing lures to trick targets into installing the malware through booby-trapped attachments.
In the Outer Space campaign, OilRig compromised an Israeli human resources site and used it as a command-and-control server for the Solar backdoor.
Solar is a powerful tool capable of downloading and executing files, gathering information, and deploying additional tools such as SampleCheck5000 and MKG.
The Juicy Mix campaign utilized an improved version of Solar called Mango, incorporating additional capabilities and obfuscation methods.
OilRig deploys custom post-compromise tools to collect credentials, cookies, and browsing history from major browsers and the Windows Credential Manager.
These attacks highlight the ongoing activities and evolving tactics of the OilRig group, which has a persistent focus on Israel.
It is crucial for organizations to remain vigilant against spear-phishing attempts and ensure robust security measures to protect sensitive information.
Article X-ray
Here are all the sources used to create this article:
A pixelated Israeli flag being attacked by a pixelated oil rig.
This section links each of the article’s facts back to its original source.
If you have any suspicions that false information is present in the article, you can use this section to investigate where it came from.
| thehackernews.com |
|---|
| – Israeli organizations were targeted in two separate campaigns by the Iranian nation-state actor known as OilRig in 2021 and 2022. – |
| The campaigns, named Outer Space and Juicy Mix, utilized backdoors called Solar and Mango to collect sensitive information from major browsers and the Windows Credential Manager. – |
| The backdoors were deployed through VBS droppers, likely spread via spear-phishing emails. – OilRig, also known as APT34, Cobalt Gypsy, Hazel Sandstorm, and Helix Kitten, is affiliated with Iran’s Ministry of Intelligence and Security (MOIS) and has been active since 2014. – OilRig has used various tools to carry out information theft and has demonstrated flexibility in creating new malware. – |
| The group has previously used SideTwist in a phishing attack targeting U.S. businesses. – Mango malware was previously identified by ESET and Microsoft in May 2023 and is associated with an activity cluster called Storm-0133, which exclusively targets Israeli local government agencies and companies in defense, lodging, and healthcare sectors. – OilRig continues to focus on Israel and uses spear-phishing lures to trick targets into installing the malware through booby-trapped attachments. – |
| In the Outer Space campaign, OilRig compromised an Israeli human resources site and used it as a command-and-control server for the Solar backdoor. – Solar is capable of downloading and executing files, gathering information, and deploying additional tools such as SampleCheck5000 and MKG. – |
| The Juicy Mix campaign utilized an improved version of Solar called Mango, which incorporated additional capabilities and obfuscation methods. – OilRig deploys custom post-compromise tools to collect credentials, cookies, and browsing history from major browsers and the Windows Credential Manager. |
English 
Portuguese 
Turkish 
Chinese 
German