Keypoints
- OilRig deployed multiple lightweight downloaders in 2022 (SC5k v1–v3, OilCheck, ODAgent, OilBooster) that misuse Microsoft cloud APIs for C2 and exfiltration.
- SC5k variants use Exchange EWS and draft messages (with extended properties or forged From fields) to exchange commands, payloads, keep-alives, and exfiltrated files in a shared mailbox.
- OilCheck and ODAgent use Microsoft Graph APIs; OilBooster uses Graph to interact with a shared OneDrive account organized into victim-specific subdirectories.
- Victim identification is embedded in messages or OneDrive paths as a derived from host/system data, allowing a single cloud account to serve multiple victims.
- Commands/payloads are protected using base64, XOR, and gzip; downloaders decrypt/decompress, execute (cmd.exe, CreateProcessW, or custom interpreters), then upload outputs as disguised file types (.xls/.xlsx or draft attachments).
- OilBooster retrieves OAuth2 tokens via hardcoded credentials and supports a fallback C2 (host1[.]com) to obtain a new refresh token after repeated failures.
- The tools are noisy but effective — they delete processed remote artifacts, clear local staging after exfiltration, and iteratively poll cloud storage for new tasks.
MITRE Techniques
- [T1583.001] Acquire Infrastructure: Domains – OilRig registered a domain for C2 communications (‘OilRig has registered a domain for use in C&C communications.’)
- [T1583.004] Acquire Infrastructure: Server – Backup server used as fallback C2 for OilBooster (‘OilRig has acquired a server to be used as a backup channel for the OilBooster downloader.’)
- [T1583.006] Acquire Infrastructure: Web Services – Use of OneDrive/Outlook/Exchange accounts for C2 (‘OilRig has set up Microsoft Office 365 OneDrive and Outlook accounts… for use in C&C communications.’)
- [T1587.001] Develop Capabilities: Malware – Continued development of custom downloaders (SC5k, OilCheck, ODAgent, OilBooster) (‘OilRig has developed a variety of custom downloaders…’)
- [T1585.003] Establish Accounts: Cloud Accounts – Creation of OneDrive accounts for C2 (‘OilRig operators have created new OneDrive accounts for use in their C&C communications.’)
- [T1585.002] Establish Accounts: Email Accounts – Registration of Outlook/email accounts for C2 (‘OilRig operators have registered new Outlook… email addresses for use in their C&C communications.’)
- [T1608] Stage Capabilities – Staging malicious components and backdoor commands in cloud accounts (‘OilRig operators have staged malicious components and backdoor commands in legitimate Microsoft Office 365 OneDrive and Outlook…’)
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – SC5k v1/v2 use cmd.exe to run commands (‘SC5k v1 and v2 use cmd.exe to execute commands on the compromised host.’)
- [T1106] Native API – OilBooster uses CreateProcessW for executing downloaded commands (‘OilBooster uses the CreateProcessW API functions for execution.’)
- [T1140] Deobfuscate/Decode Files or Information – Use of XOR and decoding to obfuscate strings and data (‘OilRig’s downloaders use string stacking to obfuscate embedded strings, and the XOR cipher to encrypt backdoor commands and payloads.’)
- [T1480] Execution Guardrails – OilBooster requires a command-line argument to run (‘OilRig’s OilBooster requires an arbitrary command line argument to execute the malicious payload.’)
- [T1564.003] Hide Artifacts: Hidden Window – OilBooster hides its console window at start (‘Upon execution, OilBooster hides its console window.’)
- [T1070.004] Indicator Removal: File Deletion – Deleting remote drafts/files after processing and local staging cleanup (‘downloaders delete local files after a successful exfiltration, and delete files or email drafts from the remote cloud service account after these have been processed’)
- [T1202] Indirect Command Execution – Use of custom command interpreters in SC5k v3 and OilCheck (‘SC5k v3 and OilCheck use custom command interpreters to execute files and commands on the compromised system.’)
- [T1036.005] Masquerading: Match Legitimate Name or Location – OilBooster mimics legitimate paths and file types (e.g., .doc/.xls) (‘OilBooster mimics legitimate paths.’)
- [T1027] Obfuscated Files or Information – Various obfuscation techniques used in downloaders (‘OilRig has used various methods to obfuscate strings and payloads embedded in its downloaders.’)
- [T1082] System Information Discovery – Downloaders obtain the compromised computer name (‘OilRig’s downloaders obtain the compromised computer name.’)
- [T1033] System Owner/User Discovery – Downloaders obtain the victim’s username (‘OilRig’s downloaders obtain the victim’s username.’)
- [T1560.003] Archive Collected Data: Archive via Custom Method – Gzip compression used before exfiltration (‘OilRig’s downloaders gzip compress data before exfiltration.’)
- [T1074.001] Data Staged: Local Data Staging – Use of local staging directories for collected files (‘OilRig’s downloaders create central staging directories for use by other OilRig tools and commands.’)
- [T1132.001] Data Encoding: Standard Encoding – Base64 encoding used in communication (‘OilRig’s downloaders base64 decode data before sending it to the C&C server.’)
- [T1573.001] Encrypted Channel: Symmetric Cryptography – XOR cipher used in C2 and payload protection (‘OilRig’s downloaders use the XOR cipher to encrypt data in C&C communication.’)
- [T1008] Fallback Channels – OilBooster contacts fallback host to request a new refresh token (‘OilBooster can use a secondary channel to obtain a new refresh token to access the shared OneDrive account.’)
- [T1105] Ingress Tool Transfer – Downloaders fetch additional payloads from cloud accounts for local execution (‘downloaders have the capability to download additional files from the C&C server for local execution.’)
- [T1102.002] Web Service: Bidirectional Communication – Use of legitimate cloud services for two-way C2 and exfiltration (‘downloaders use legitimate cloud service providers for C&C communication.’)
- [T1020] Automated Exfiltration – Automated upload of staged files to cloud accounts (‘downloaders automatically exfiltrate staged files to the C&C server.’)
- [T1041] Exfiltration Over C2 Channel – Exfiltration piggybacks on same C2 channels (‘downloaders use their C&C channels for exfiltration.’)
- [T1567.002] Exfiltration Over Web Service: Exfiltration to Cloud Storage – OilBooster/ODAgent exfiltrate to OneDrive (‘OilBooster and ODAgent exfiltrate data to shared OneDrive accounts.’)
- [T1567] Exfiltration Over Web Service – SC5k and OilCheck exfiltrate via Exchange/Outlook mail (‘SC5k and OilCheck exfiltrate data to shared Exchange and Outlook accounts.’)
Indicators of Compromise
- [File hashes] Malware samples – 0F164894DC7D8256B66D0EBAA7AFEDCF5462F881, 1B2FEDD5F2A37A0152231AE4099A13C8D4B73C9E, and 19 more hashes (SC5k, OilBooster, OilCheck, ODAgent samples).
- [Filenames] Binary names observed – ODAgent.exe, consoleapp.exe (used by ODAgent and OilBooster respectively).
- [Email addresses] Attacker/sharing accounts – [email protected], [email protected] (used as shared Exchange/Outlook C2 addresses).
- [Domain] Fallback C2 host – host1[.]com (used to deliver new refresh token to OilBooster).
- [IP] Hosting/fallback server – 188.114.96[.]2 (host1[.]com, Cloudflare fronted IP associated with fallback C2).
OilRig’s cloud-powered downloaders implement a predictable technical flow: establish access to a shared attacker-controlled cloud account (Exchange/Outlook via EWS or Graph, or OneDrive via Graph), identify the victim using a generated (host/username or volume/computer-name based), poll the shared location for operator-staged items, and upload results into victim-specific folders or drafts. SC5k variants use Exchange EWS and encode victim identification into draft extended properties or the forged From field; they distinguish message types by file extension, MailItem.Categories, or extended properties, decrypt attachments (XOR + gzip or base64 + XOR), execute commands via cmd.exe or a loaded custom interpreter, then gzip/XOR the outputs and create drafts to exfiltrate. OilCheck and ODAgent follow a similar pattern via Microsoft Graph; ODAgent uses the MIME type to differentiate JSON command files from encrypted payload blobs, deriving session keys by XORing provided secrets with hardcoded values and supporting limited backdoor commands (e.g., run command, set delay, return working directory).
OilBooster operates as a multithreaded OneDrive downloader/exfiltrator: it forms a as hostname-username, creates a victim-specific OneDrive directory, and repeatedly lists .doc/.docx files in /items for commands (.doc = JSON with encrypted command using per-file key) and payloads (.docx = encrypted+gzipped staged payloads). Commands are decrypted (base64 then XOR using a key derived from file metadata), executed (CreateProcessW), and results uploaded as .xls files after gzip+XOR; local staging files are compressed, XOR-encrypted using the original extension as key (default 4cx if none), uploaded as .xlsx, then deleted. OilBooster authenticates with hardcoded OAuth client/secret/refresh token flows against login.microsoftonline.com and implements a fallback HTTP endpoint (host1[.]com/rt.ovf) to fetch a new refresh token after repeated failures.
Across all tools the common technical primitives are: reuse of shared cloud accounts to blend with legitimate traffic; victim-specific identifiers to multiplex many victims on one account; simple symmetric obfuscation (XOR), base64 encoding, and gzip compression to hide commands and data; file- or metadata-based signaling (extensions, MIME type, draft properties, mail categories) to indicate actions (keep-alive, payload, command, exfil); and cleanup of remote/local artifacts after processing. These behaviors enable retrieval, staging, execution, and automated exfiltration while leveraging Microsoft cloud APIs to mask C2 and data transfer. Read more: https://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/