Pulse Detail — Threat Intelligence

PULSE NAME

OilRig uses ISMDoor variant; Possibly Linked to Greenbug Threat Group

WHITE OilRig AlienVault 2017-07-27 Modified: 2017-08-07

IOCs

MEDIUM VOLUME

Unit 42 has discovered activity involving threat actors responsible for the OilRig campaign with a potential link to a threat group known as GreenBug. Symantec first reported on this group back in January 2017, detailing their operations and using a custom information stealing Trojan called ISMDoor.

Indicators of Compromise (34)

All domain FileHash-SHA256 URL hostname FileHash-MD5

TYPE	INDICATOR	DESCRIPTION	CREATED
domain	adobeproduct.com	—	2017-07-27
domain	cache-service.net	—	2017-07-27
domain	chrome-dns.com	—	2017-07-27
domain	fireeyeupdate.com	—	2017-07-27
domain	level3-resolvers.net	—	2017-07-27
domain	microsoft-publisher.com	—	2017-07-27
domain	miedafire.com	—	2017-07-27
domain	mslicensecheck.com	—	2017-07-27
domain	ntpupdateserver.com	—	2017-07-27
domain	tatavpnservices.com	—	2017-07-27
FileHash-SHA256	3eb14b6705179590f0476d3d3cbd71665e7c1935ecac3df7b876edc9bd7641b6	—	2017-07-27
FileHash-SHA256	52366b9ab2eb1d77ca6719a40f4779eb302dca97a832bd447abf10512dc51ed9	—	2017-07-27
FileHash-SHA256	5ac939a5426db8614165bd8b6a02d3e8d9f167379c6ed28025bf3b37f1aea902	—	2017-07-27
FileHash-SHA256	af4d8604d0cd09b8dc01dbafc33c6d240d356cad366f9917192a2725e0121a0d	—	2017-07-27
FileHash-SHA256	bbfc05177e5e29b3c8c4ef0148969d07e6239140da5bff57473c32409e76c070	—	2017-07-27
URL	http://74.91.19.108/action2/SE9NRVxVc2Vy	—	2017-08-04
URL	http://74.91.19.108/response/SE9NRVxVc2Vy/2ae1061a-104c-44e5-a988-823618c3efd2	—	2017-08-04
URL	http://office365-management.com/updatejuly/index.txt	—	2017-08-04
URL	http://www.adobeproduct.com/ac	—	2017-08-04
hostname	0ljkxlje5lj.1.d.6552f1a5784148349bfd.msoffice365update.com	—	2017-08-04
hostname	24yl1nfou5s.3.d.6552f1a5784148349bfd.msoffice365update.com	—	2017-08-04
hostname	n.n.c.6552f1a5784148349bfd.msoffice365update.com	—	2017-08-04
hostname	ns1.msoffice365update.com	—	2017-08-04
hostname	ns1.office365-management.com	—	2017-08-04
hostname	ns1.office365-technical.info	—	2017-08-04
hostname	ns2.msoffice365update.com	—	2017-08-04
hostname	ns2.office365-technical.info	—	2017-08-04
hostname	www.adobeproduct.com	—	2017-08-04
hostname	www.msoffice365update.com	—	2017-08-04
hostname	www.office365-management.com	—	2017-08-04
hostname	www.office365-technical.info	—	2017-08-04
FileHash-MD5	1ed20a72cc85f3d806deb1b3e12c5e1d	—	2017-08-04
FileHash-MD5	6a51881ec0d10466db41ccd45c14d54e	—	2017-08-04
FileHash-MD5	da4556f1697a9a7b5a8e7b0175b8be2a	—	2017-08-04

References (3)

↗ https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/ ↗ https://pastebin.com/rnRXbitz ↗ https://twitter.com/eyalsela/status/893454958288404480