OilRig, APT 34, Helix Kitten, Chrysene

[2012-08] shamoon Attacks (w32.disttrack Is A New Threat That Is Being Used In Specific Targeted Attacks Against At Least One Organization In The Energy Sector. It Is A Destructive Malware That Corrupts Files On A Compromised Computer And Overwrites The Mbr (master Boot Record) In An Effort To Render A Computer Unusable. (target: Saudi Aramco And Rasgas. (https://www.symantec.com/connect/blogs/shamoon-attacks)

[2016-05] targeted Attacks Against Banks In The Middle East (in The First Week Of May 2016, Fireeye�s Dti Identified A Wave Of Emails Containing Malicious Attachments Being Sent To Multiple Banks In The Middle East Region. The Threat Actors Appear To Be Performing Initial Reconnaissance Against Would-be Targets, And The Attacks Caught Our Attention Since They Were Using Unique Scripts Not Commonly Seen In Crimeware Campaigns. (https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html (https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/)

[2016-06] we Have Identified Two Separate Testing Efforts Carried Out By The Oilrig Actors, One Occurring In June And One In November Of 2016. The Sample Set Associated With Each Of These Testing Activities Is Rather Small, But The Changes Made To Each Of The Files Give Us A Chance To Understand What Modifications The Actor Performs In An Attempt To Evade Detection. This Testing Activity Also Suggests That The Threat Group Responsible For The Oilrig Attack Campaign Have An Organized, Professional Operations Model That Includes A Testing Component To The Development Of Their Tools. (https://unit42.paloaltonetworks.com/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/)

[2016-10] in Recent Weeks We�ve Discovered That The Group Have Been Actively Updating Their Clayslide Delivery Documents, As Well As The Helminth Backdoor Used Against Victims. Additionally, The Scope Of Organizations Targeted By This Group Has Expanded To Not Only Include Organizations Within Saudi Arabia, But Also A Company In Qatar And Government Organizations In Turkey, Israel And The United States. (https://unit42.paloaltonetworks.com/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/)

[2016-11] shamoon V2 (the Malware Used In The Recent Attacks (w32.disttrack.b) Is Largely Unchanged From The Variant Used Four Years Ago. In The 2012 Attacks, Infected Computers Had Their Master Boot Records Wiped And Replaced With An Image Of A Burning Us Flag. The Latest Attacks Instead Used A Photo Of The Body Of Alan Kurdi, The Three Year-old Syrian Refugee Who Drowned In The Mediterranean Last Year. (https://www.symantec.com/connect/blogs/shamoon-back-dead-and-destructive-ever (https://unit42.paloaltonetworks.com/unit42-shamoon-2-return-disttrack-wiper/ (https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/)

[2017-01] delivers Digitally Signed Malware, Impersonates University Of Oxford (in Recent Attacks They Set Up A Fake Vpn Web Portal And Targeted At Least Five Israeli It Vendors, Several Financial Institutes, And The Israeli Post Office. (later, The Attackers Set Up Two Fake Websites Pretending To Be A University Of Oxford Conference Sign-up Page And A Job Application Website. In These Websites They Hosted Malware That Was Digitally Signed With A Valid, Likely Stolen Code Signing Certificate. (https://www.clearskysec.com/oilrig/)

[2017-06] in July 2017, We Observed The Oilrig Group Using A Tool They Developed Called Ismagent In A New Set Of Targeted Attacks. The Oilrig Group Developed Ismagent As A Variant Of The Ismdoor Trojan. In August 2017, We Found This Threat Group Has Developed Yet Another Trojan That They Call �agent Injector� With The Specific Purpose Of Installing The Ismagent Backdoor. We Are Tracking This Tool As Isminjector. (https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/)

[2017-07] the Web Server Logs On The System We Examined That Was Compromised With The Twoface Shell Gave Us A Glimpse Into The Commands The Actor Executed Through Their Malware. These Commands Also Enabled Us To Create A Profile Of The Actor, Specifically Their Intentions And The Tools And Techniques Used To Carry Out Their Operation. (https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/)

[2017-09] while Expanding Our Research Into The Twoface Webshell From This Past July, We Were Able To Uncover Several Ip Addresses That Logged In And Directly Interfaced With The Shell We Discovered And Wrote About. Investigating Deeper Into These Potential Adversary Ips Revealed A Much Larger Infrastructure Used To Execute The Attacks. (https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/)

[2017-11] new Targeted Attack In The Middle East (in This Latest Campaign, Apt34 Leveraged The Recent Microsoft Office Vulnerability Cve-2017-11882 To Deploy Powruner And Bondupdater. (https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html)

[2018-01] on January 8, 2018, Unit 42 Observed The Oilrig Threat Group Carry Out An Attack On An Insurance Agency Based In The Middle East. Just Over A Week Later, On January 16, 2018, We Observed An Attack On A Middle Eastern Financial Institution. In Both Attacks, The Oilrig Group Attempted To Deliver A New Trojan That We Are Tracking As Oopsie. (the January 8 Attack Used A Variant Of The Threedollars Delivery Document, Which We Identified As Part Of The Oilrig Toolset Based On Attacks That Occurred In August 2017. (https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/)

[2018-01] while Investigating Files Uploaded To A Twoface Webshell, Unit 42 Discovered Actors Installing An Internet Information Services (iis) Backdoor That We Call Rgdoor. Our Data Suggests That Actors Have Deployed The Rgdoor Backdoor On Webservers Belonging To Eight Middle Eastern Government Organizations, As Well As One Financial And One Educational Institution. (https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/)

[2018-05] technology Service Provider And Government Agency (between May And June 2018, Unit 42 Observed Multiple Attacks By The Oilrig Group Appearing To Originate From A Government Agency In The Middle East. Based On Previously Observed Tactics, It Is Highly Likely The Oilrig Group Leveraged Credential Harvesting And Compromised Accounts To Use The Government Agency As A Launching Platform For Their True Attacks. (https://unit42.paloaltonetworks.com/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/)

[2018-12] shamoon V3 (after A Two-year Absence, The Destructive Malware Shamoon (w32.disttrack.b) Re-emerged On December 10 In A New Wave Of Attacks Against Targets In The Middle East. These Latest Shamoon Attacks Are Doubly Destructive, Since They Involve A New Wiper (trojan.filerase) That Deletes Files From Infected Computers Before The Shamoon Malware Wipes The Master Boot Record. (https://www.symantec.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail (https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/)

[2019-06] we Identified Three New Malware Families And A Reappearance Of Pickpocket, Malware Exclusively Observed In Use By Apt34. The New Malware Families, Which We Will Examine Later In This Post, Show Apt34 Relying On Their Powershell Development Capabilities, As Well As Trying Their Hand At Golang. (https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html)

[2019-12] new Destructive Wiper Zerocleare Targets Energy Sector In The Middle East (https://securityintelligence.com/posts/new-destructive-wiper-zerocleare-targets-energy-sector-in-the-middle-east/)

[2020-01] our Researchers Paul Litvak And Michael Kajilolti Have Discovered A New Campaign Conducted By Apt34 Employing An Updated Toolset. Based On Uncovered Phishing Documents, We Believe This Iranian Actor Is Targeting Westat Employees, Or United States Organizations Hiring Westat Services. (https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/)

[2020-03] karkoff 2020: A New Apt34 Espionage Operation Involves Lebanon Government (https://blog.yoroi.company/research/karkoff-2020-a-new-apt34-espionage-operation-involves-lebanon-government/)

[2020-04] while Analyzing An Attack Against A Middle Eastern Telecommunications Organization, We Discovered A Variant Of An Oilrig-associated Tool We Call Rdat Using A Novel Email-based Command And Control (c2) Channel That Relied On A Technique Known As Steganography To Hide Commands And Data Within Bitmap Images Attached To Emails. (https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/)

[2021-01] iran�s Apt34 Returns With An Updated Arsenal (https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/)

[2022-04] apt34 Targets Jordan Government Using New Saitama Backdoor (https://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/)

[2022-05] it Began With A Spearphishing Email To A Diplomat In Jordan. (https://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt)

[2022-12] new Apt34 Malware Targets The Middle East (https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html