← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford
WHITE OilRig AlienVault 2017-01-05 Modified: 2018-09-17
93
IOCs
HIGH VOLUME
Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015. In recent attacks they set up a fake VPN Web Portal and targeted at least five Israeli IT vendors, several financial institutes, and the Israeli Post Office. Later, the attackers set up two fake websites pretending to be a University of Oxford conference sign-up page and a job application website. In these websites they hosted malware that was digitally signed with a valid, likely stolen code signing certificate Based on VirusTotal uploads, malicious documents content, and known victims – other targeted organizations are located in Turkey, Qatar, Kuwait, United Arab Emirates, Saudi Arabia, and Lebanon.
oxfordolirigmiddle eastVPN Web PortalHelminthclearskysec
Indicators of Compromise (93)
All domain hostname FileHash-MD5 email
TYPEINDICATORDESCRIPTIONCREATED
domain gaccountservices.com 2017-01-05
domain acount-google.ml 2017-01-05
domain main-google-resolver.com 2017-01-05
domain it-service.in 2017-01-05
domain tecsupport.in 2017-01-05
domain supportvpn.net 2017-01-05
domain updater.li 2017-01-05
domain update-kernal.net 2017-01-05
domain technical-google.com 2017-01-05
domain kernel.ws 2017-01-05
domain googlednsupdate.tk 2017-01-05
domain shellexperiencehost.in 2017-01-05
domain oxford-careers.com 2017-01-05
domain admin-supporter.com 2017-01-05
domain dnsupdateservers.net 2017-01-05
domain oxford-employee.com 2017-01-05
domain vodafoneco.com 2017-01-05
domain hell-tec.in 2017-01-05
domain malamvpn.com 2017-01-05
domain check-system.org 2017-01-05
domain microsoft-kernels-pdate.net 2017-01-05
domain net-support.info 2017-01-05
domain oxford.in 2017-01-05
domain check-updater.org 2017-01-05
domain kernel-update.com 2017-01-05
domain liuedu-lb.in 2017-01-05
domain outlookteam.live 2017-01-05
domain taldor.org 2017-01-05
domain accountsupportteam.com 2017-01-05
domain upgradesystems.info 2017-01-05
domain oxford-symposia.com 2017-01-05
domain updateorg.com 2017-01-05
domain googleupdate.download 2017-01-05
domain dns-bind9.com 2017-01-05
hostname ns2.sys-update.com 2017-01-05
hostname ns1.shalaghlagh.tk 2017-01-05
hostname app.microsoftupdate.mom 2017-01-05
hostname www.googleaccountsservices.com 2017-01-05
hostname www.windows-dns-resolver.org 2017-01-05
hostname ns1.winodwsupdates.me 2017-01-05
hostname f83zx-138iklspool-arp.googleaccountsservices.com 2017-01-05
hostname 9660d0a.winodwsupdates.me 2017-01-05
hostname ns2.dnsrecordsolver.tk 2017-01-05
hostname ns1.windows-dns-resolver.org 2017-01-05
hostname ns2.winodwsupdates.me 2017-01-05
hostname ns11.windows-dns-resolver.org 2017-01-05
hostname ns2.microsoftupdate.mom 2017-01-05
hostname ns1.microsoftupdate.mom 2017-01-05
hostname ns2.shalaghlagh.tk 2017-01-05
hostname 138iklspool-arp.googleaccountsservices.com 2017-01-05
hostname zzs00000tdy30.egoogle.org 2017-01-05
hostname ns1.dnsrecordsolver.tk 2017-01-05
hostname ns2.windows-dns-resolver.org 2017-01-05
hostname ns2.egoogle.org 2017-01-05
hostname nsn1.winodwsupdates.me 2017-01-05
hostname ns2.applicationframehost.in 2017-01-05
hostname ns1.egoogle.org 2017-01-05
hostname www.microsoftupdate.mom 2017-01-05
hostname ns1.applicationframehost.in 2017-01-05
hostname www.winodwsupdates.me 2017-01-05
hostname 87pqxz159.dockerjsbin.com 2017-01-05
FileHash-MD5 1c23b3f11f933d98febfd5a92eb5c715 2017-01-05
FileHash-MD5 0235605e4795208724409e1626c6117c 2017-01-05
FileHash-MD5 5713c3c01067c91771ac70e193ef5419 2017-01-05
FileHash-MD5 6a65d762fb548d2dc56cfde4842a4d3c 2017-01-05
FileHash-MD5 0302e72fafd6fa8143943fdf2efc592d 2017-01-05
FileHash-MD5 0bf3cf83ac7d83d6943afd02c28d286a 2017-01-05
FileHash-MD5 456a45b59a7588294cf25a5cab4a9821 2017-01-05
FileHash-MD5 72e046753f0496140b4aa389aee2e300 2017-01-05
FileHash-MD5 197c018922237828683783654d3c632a 2017-01-05
FileHash-MD5 1792cdd0c5397ff5df445d73276d1a50 2017-01-05
FileHash-MD5 3a5fcba80c1fd685c4b5085d9d474118 2017-01-05
FileHash-MD5 262bc259682cb48ce66a80dcc9a5d587 2017-01-05
FileHash-MD5 20b8dc0f4f5758afdaf442bad3552bf5 2017-01-05
FileHash-MD5 f76443385fef159e6b73ad6bf7f086d6 2017-01-05
FileHash-MD5 f77ee804de304f7c3ea6b87824684b33 2017-01-05
FileHash-MD5 7528c387f853d96420cf7e20f2ad1d32 2017-01-05
FileHash-MD5 adb1e854b0a713f6ffd3eace6431c81d 2017-01-05
FileHash-MD5 bd7d2efdb2a0f352c4b74f2b82e3c7bc 2017-01-05
FileHash-MD5 d50ab63f4034c6f5eb356e3326320e66 2017-01-05
FileHash-MD5 f8ce7e356e09de6a48dca9e51421b6f6 2017-01-05
FileHash-MD5 cd46960e865dc06596a1b68be427ac7a 2017-01-05
FileHash-MD5 bdafd1fb08d5ed0073b3c0605e1e4581 2017-01-05
email megandoherty@teleworm.us 2017-01-05
email zak.s.whittaker@gmail.com 2017-01-05
email masha.sharon@inbox.ru 2017-01-05
email ranjan1984rajiv@gmail.com 2017-01-05
email nism2020@yandex.com 2017-01-05
email sara.patrik@chmail.ir 2017-01-05
email javamaker@inbox.ru 2017-01-05
email zack.patrik@mail.com 2017-01-05
email jason.hasaki@hotmail.com 2017-01-05
email salim.ahmed.alqahtani@mail.ru 2017-01-05
References (1)
↗ http://www.clearskysec.com/oilrig/