The OilRig Campaign, so named by PaloAlto Networks because the Persian word for oily—“nafti”—was hardcoded into a number of malware samples analyzed, consists of two attack waves against Saudi Arabian organizations beginning in late 2015. This campaign has been seen targeting financial institutions and technology organizations, as well as the defense industry. The malware used in the OilRig Campaign is the Helminth Backdoor Trojan.
Earlier attacks in this campaign infected victims using Windows executables disguised as fake job offers, followed by a malware dropper called HerHer.
Recently, another wave of OilRig attacks used spear-phishing emails with Excel spreadsheet attachments. Malicious macros within the spreadsheets download the Helminth script which includes a VB script and a Powershell script. Both of these scripts are responsible for continuous communication with the malware's C2 servers.
ThreatSTOP customers are protected against the OilRig Campaign, and the HerHer and Helminth malwares.