OilRig Group Appears to be Sloppy

Threat Watch

Threat Watch OilRig Group Appears to be Sloppy

OilRig Group Appears to be Sloppy

A new backdoor named Poison Frog was analyzed by researchers and revealed that the threat group OilRig appeared “sloppy” in their development of it. Kaspersky came across Poison Frog while scanning their archives looking for old OilRig malware after OilRig information was shared over a Telegram channel. Kaspersky found that Poison Frog had an executable that was written in C# which dropped a PowerShell script containing a DNS and HTTP backdoor, executed the script and then deleted it. Several mistakes were made by OilRig in this malware–such as one sample not executing because a command was spelled wrong and dates within the malware was wrong.

ANALYST NOTES

This new malware from OilRig comes a year after their previous campaign was seen using the BONDUPDATER trojan as its final payload. Being vigilant in monitoring is the best way to protect companies and networks from becoming infected by malware. This malware having such flaws shows that threat groups also make mistakes. It is likely that because the malware was so old when it was found, the group has since moved on from its failure to develop a new tactic. More information can be found at: https://www.tripwire.com/state-of-security/ics-security/poison-frog-malware-samples-reveal-oilrigs-sloppiness/

Hackers for Hire: An Overview of the Unethical Services Offered on the Darknet

Intro to Threat Hunting

What is YARA? Get to know this malware research tool

Your sandbox failed. Now What? Static Analysis to the rescue!

Threat Watch

OilRig Group Appears to be Sloppy

ANALYST NOTES

Solutions

Industries

Resources

About

Contact Support

Threat Watch

OilRig Group Appears to be Sloppy

ANALYST NOTES

Subscribe to Threat Watch

Contact Support