Adversaries from the OilRig campaign may use custom malware to establish persistence and exfiltrate data, leveraging low-severity indicators that require proactive hunting in Azure Sentinel. SOC teams should actively investigate these behaviors to identify and mitigate potential long-term compromise within their environment.
YARA Rule
rule OilRig_Malware_Campaign_Mal2
{
meta:
description = "Detects malware from OilRig Campaign"
author = "Florian Roth"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
hash1 = "65920eaea00764a245acb58a3565941477b78a7bcc9efaec5bf811573084b6cf"
strings:
$x1 = "wss.Run \"powershell.exe \" & Chr(34) & \"& {(Get-Content $env:Public\\Libraries\\update.vbs) -replace '__',(Get-Random) | Set-C" ascii
$x2 = "Call Extract(UpdateVbs, wss.ExpandEnvironmentStrings(\"%PUBLIC%\") & \"\\Libraries\\update.vbs\")" fullword ascii
$x3 = "mailto:[email protected]" fullword wide
$x4 = "mailto:[email protected]" fullword wide
$x5 = "Call Extract(DnsPs1, wss.ExpandEnvironmentStrings(\"%PUBLIC%\") & \"\\Libraries\\dns.ps1\")" fullword ascii
$x6 = "2dy53My5vcmcvMjAw" fullword wide /* base64 encoded string 'w.w3.org/200' */
condition:
( uint16(0) == 0xcfd0 and filesize < 200KB and 1 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: Legitimate scheduled job running oilrig.exe as part of a backup or maintenance task
Filter/Exclusion: Check process parent process and command line arguments. Exclude processes with parent process schtasks.exe and command line containing /backup or /maintenance.
Scenario: System update or patching tool using a similar name to OilRig malware (e.g., oilrig-updater.exe)
Filter/Exclusion: Exclude processes where the file path contains C:\Windows\System32\ or C:\Windows\Temp\ and the process is initiated by wuauclt.exe or msiexec.exe.
Scenario: Admin task using a legitimate tool with a similar name (e.g., oilrig-utility.exe) for network monitoring
Filter/Exclusion: Exclude processes where the file path contains C:\Program Files\ and the process is initiated by task scheduler with a known legitimate task name (e.g., NetworkMonitorTask).
Scenario: False positive from a security tool or endpoint protection software that uses a similar name for its own components
Filter/Exclusion: Exclude processes where the file path contains C:\Program Files\EndpointProtection\ or C:\Program Files\Antivirus\ and the process is initiated by a known security tool (e.g., McAfee, Kaspersky).
Scenario: Legitimate script or tool used by developers for testing or penetration testing with a similar name
Filter/Exclusion: Exclude processes where the user is a developer or part of the security team, and the file path contains C:\DevTools\ or C:\PenTest\. Use user-based filtering to exclude known internal testing accounts.