OilRig APT Escalates Cyber Espionage with Windows Kernel Exploits and Persistent Attacks

Threat Group: OilRig (APT34, Earth Simnavaz, Crambus, Cobalt Gypsy, GreenBug, Helix Kitten, Hazel Sandstorm)
Threat Type: Cyberespionage
Exploited Vulnerabilities: CVE-2024-30088 (Windows Kernel Privilege Escalation), Microsoft Exchange Web Services
Malware Used: Menorah, STEALHOOK, SC5k, OilCheck, ODAgent, OilBooster
Threat Score: High (8.5/10) — Exploitation of advanced kernel vulnerabilities and widespread espionage activities targeting key geopolitical entities.
Last Threat Observation: October 2024

Overview

OilRig, also referred to as Earth Simnavaz or APT34, is an Iranian cyberespionage group that has been active since 2014. The group is known for highly advanced and persistent campaigns targeting organizations in the Middle East. Recently, OilRig has been exploiting a Windows Kernel vulnerability (CVE-2024-30088) to gain SYSTEM privileges and infiltrate governmental, industrial, and critical infrastructure entities across the U.A.E. and the Gulf.

Their campaigns often revolve around exploiting Microsoft Exchange servers to steal credentials and use them for long-term persistence within networks. These credentials are later leveraged for deeper penetration, allowing the attackers to exfiltrate sensitive information.

Key Details

• Delivery Method:
  Initial access is typically achieved through compromised web servers, followed by the deployment of web shells and persistence mechanisms (e.g., ngrok for secure tunnels). A privilege escalation exploit (CVE-2024-30088) is then used to gain SYSTEM-level access.
• Target:
  Key targets include government organizations, critical infrastructure, and high-value businesses in the Middle East.
• Functions:
  • STEALHOOK: A backdoor used to steal credentials from on-premises Exchange servers.
  • psgfilter.dll: A malicious password filter used to intercept credentials from domain controllers.
  • Menorah: A malware strain that executes shell commands and exfiltrates files.
  • DULLDROP/DULLOAD: PowerShell and .NET-based downloaders designed for persistence and data theft.
• Obfuscation Techniques:
  The group utilizes legitimate services like Microsoft Exchange for C2 communications and hides malicious activity within regular network traffic, making detection more difficult.

Attack Vectors

• Privilege Escalation (CVE-2024-30088):
  OilRig exploits a race condition vulnerability in the Windows Kernel, enabling them to escalate privileges to SYSTEM-level on targeted machines. This vulnerability affects multiple versions of Windows 10 and 11 and has been widely exploited by OilRig since its disclosure​.
• Credential Theft via Exchange:
  The STEALHOOK backdoor is used to exfiltrate credentials from Microsoft Exchange servers. These credentials are later used to access other endpoints within the network.
• Persistence:
  OilRig often leverages the legitimate ngrok tool to create undetectable tunnels between compromised systems and their C2 infrastructure, bypassing traditional security mechanisms.

Known Indicators of Compromise (IoCs)

File Hashes (SHA-256)

1. db79c39bc06e55a52741a9170d8007fa93ac712df506632d624a651345d33f91
2. a24303234e0cc6f403fca8943e7170c90b69976015b6a84d64a9667810023ed7
3. 6e4f237ef084e400b43bc18860d9c781c851012652b558f57527cf61bee1e1ef
4. b3257f0c0ef298363f89c7a61ab27a706e9e308c22f1820dc4f02dfa0f68d897
5. abfc8e9b4b02e196af83608d5aaef1771354b32c898852dff532bd8cfd2coe59d
6. 6d8bdd3e087b266d493074569a85e1173246d1d71ee88eca94266b5802e28112
7. 98fb12a9625d600535df342551d30b27ed216fed14d9c6f63e8bf677cb730301
8. edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef

Mitigation and Prevention

1. Patch Management:
   Ensure that CVE-2024-30088 and other known vulnerabilities are patched across all systems, especially Windows and Microsoft Exchange servers.
2. Network Monitoring:
   Monitor network traffic for abnormal use of Exchange servers and potential use of ngrok for tunneling, as well as unexpected registry modifications.
3. User Awareness and Training:
   Conduct phishing awareness campaigns, as spear-phishing remains a primary vector for initial access in OilRig campaigns.
4. Endpoint Detection:
   Deploy EDR solutions to detect and block file hashes associated with OilRig’s malware, such as STEALHOOK, Menorah, and DULLOAD.
5. Privilege Management:
   Restrict access to critical systems and ensure that least-privilege principles are applied to minimize the impact of successful exploits.

Conclusion

OilRig’s recent campaigns show increasing sophistication in exploiting vulnerabilities and deploying highly targeted malware. Organizations in the Middle East, particularly those using Microsoft Exchange, must remain vigilant. Regular patching, combined with strong monitoring practices and user training, will mitigate the risks posed by this persistent threat group.

Sources

• The Hacker News: OilRig Exploits Windows Kernel Flaw
• Trend Micro: Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against UAE and Gulf Regions
• Tenable: CVE-2024-30088