Prolific Iranian advanced persistent threat group (APT) OilRig has repeatedly targeted several Israeli organizations throughout 2022 in cyberattacks that were notable for leveraging a series of custom downloaders that use legitimate Microsoft cloud services to conduct attacker communications and exfiltrate data.
OilRig (aka APT34, Helix Kitten, Cobalt Gypsym, Lyceum, Crambus or Siamesekitten) in the attacks deployed four specific new downloaders — SampleCheck5000 (SC5k v1-v3), ODAgent, OilCheck, and OilBooster — that were developed in the last year, adding the tools to the group’s already large arsenal of custom malware, ESET researchers revealed in a blog post published Dec. 14.
