Based on open-source intelligence, the ATT&CK ® Evaluations team created the below scenario leveraging techniques seen from Oilrig in the wild. We have adapted the scenario based on tools and resources available at the time. Below is a diagram, scenario overview, step-by-step breakdown, and an infrastructure diagram.
This scenario follows OilRig’s multi-phase approach to exfiltrating sensitive data from a targeted server. OilRig leverages spearphishing to gain initial access onto an administrator’s workstation and deploys their SideTwist malware. Once persistence is established on the victim network, the attackers will escalate privileges and move laterally onto an EWS server. Further enumeration of the EWS server will lead to OilRig’s identification of a SQL server storing confidential critical infrastructure data. Characteristics of this campaign include: custom webshells, Windows and Microsoft 365 exploitation, and key attacker objective on obtaining control of the SQL server to steal victim files.
Phase 1: This scenario begins with the legitimate user Gosta downloading and opening a malicious Word document sent via spearphishing. When the document is first opened, the enabled macros will stealthily install the SideTwist backdoor on Gosta’s Windows host machine. SideTwist connects to a C2 server using GET & POST requests, with responses hidden in the source code of an NotFlickr page. After performing initial enumeration on Gosta’s device, OilRig discovers that the user is a member of the administrator group on an Exchange Web Server (EWS).
Phase 2: The SideTwist backdoor harvests credentials and collects Gosta's password using VALUEVAULT, a credential theft tool. Using Gosta’s stolen EWS credentials, the attackers establish a remote connection to EWS via RDP tunneling. Once connected to the EWS, OilRig deploys the TwoFace webshell on the server to gain access to additional resources on the network. The use of TwoFace to perform enumeration on the EWS will lead attackers to discover a SQL server.
Phase 3: Next, OilRig will use the TwoFace webshell to download Mimikatz and dump the credentials of targeted administrators on the EWS. Using the stolen credentials of Tous, an SQL admin, the adversary will perform pass-the-hash to move laterally onto the targeted SQL server. This signals the start of the data exfiltration phase. The attackers will gain persistent access to the database through the custom RDAT backdoor, copy the database backup files and exfiltrate them via the EWS API to an attacker-controlled mailbox.
OilRig gains initial access from user Gosta (THE BLOCK, 10.1.0.5) downloading and opening a Microsoft Word document received from a spearphishing email. Once Gosta enables the malicious macros embedded in the document, the SideTwist payload is stealthily dropped onto the system. The executable is initially named b.doc and will later be renamed to SystemFailureReporter.exe.
OilRig then will use SideTwist to conduct initial discovery on the Windows host machine (THE BLOCK) and connect to the C2 server over XOR encrypted protocol HTTP on port 443. The attackers C2 infrastructure consists of an HTTP server that hosts a dummy NotFlickr page. Commands with SideTwist are embedded between <script> tags on this webpage.
Analyst Note: The document is pre-positioned in the environment. We do not emulate sending the document to target, as our focus is evaluating their product against post-initial-access TTPs.
OilRig utilizes SideTwist to perform a string of initial enumeration commands via the command line. Specifically, the adversary enumerates the current user, system information and configuration, domain users, domain groups, domain accounts, local groups, network connections, running processes, running services, and a registry key value to check if RDP is enabled.
At this point, OilRig has discovered the following: the current user Gosta is a member of the EWS Admins group, the presence of an EWS server (WATERFALLS,10.1.0.6) on the network which is a part of the Exchange Trusted Subsystem group, and the existence of several other administrator groups (including SQL Admins, of which user Tous is a member).
In order to escalate privileges, OilRig will use SideTwist to download VALUEVAULT onto the Gosta’s device. VALUEVAULT will be used to conduct low privilege credential dumping and retrieve the plaintext password for Gosta. The attackers send this data back to the C2, obfuscating communications via HTTP POST requests.
Using Gosta’s stolen EWS credentials, OilRig installs the TwoFace web shell for persistence on the EWS. This is accomplished by downloading TwoFace (named contact.aspx) via the SideTwist executable. The attackers will then copy the webshell from Gosta’s Windows workstation to the EWS, obfuscating the activity with attrib + h. OilRig covers their tracks by deleting TwoFace from Gosta’s user directory.
OilRig uses the TwoFace webshell to perform enumeration on the EWS to discover the SQL server (ENDOFROAD,10.1.0.7). OilRig first uses the webshell to perform some initial discovery by enumerating the current user, system network configuration and system network connections. At this point, the attackers identify an open connection to the SQL server via a port commonly associated with SQL.
Analyst Note: TwoFace comprises 2 separate webshells - the first is deployed initially to save and load the second webshell, which is the one used to run commands on the compromised server. However, due to team constraints, we deployed a single webshell that can upload/download files and run commands.
OilRig uses the webshell to download Mimikatz to the EWS and uses elevated privileges to dump credentials. The dumped credentials, which include those for SQL server administrator Tous, are exfiltrated back to the C2 (192.168.0.4) via the webshell. After exfiltration is complete, OilRig deletes both Mimikatz and the dumped credentials from the directory on the EWS.
OilRig moves laterally onto the EWS via remote port forward using the plink command line tool. The adversary conducts a remote port forward from Gosta’s workstation to the attacking machine to allow RDP access through port 3389 as user Gosta.
Using the credentials collected for the SQL administrator Tous, the attackers move laterally to the SQL server. First, the webshell is used to download PsExec, RDAT, and a newly named Mimikatz to disk.
Through the tunneled RDP, OilRig will open an elevated command prompt and uses Tous' NTLM hash to execute a pass-the-hash to spawn a second shell on the EWS. As the user Tous, OilRig copies the RDAT backdoor to the SQL server and executes PsExec to get a shell on the targeted server.
As the user Tous, OilRig uses the command prompt created by the Mimikatz pass the hash to perform discovery of the database backup files on the SQL server. OilRig will collect and exfiltrate the backups of the database files via the EWS API. OilRig first creates a new directory in which to stage the collected data. The attackers will move RDAT to this new directory and rename it as VMware.exe. The newly named backdoor is used to read the data, split it into 20,000 byte chunks, and exfiltrate it via EWS API to an attacker-controlled email (sistan@shirinfarhad.com). The stolen data is obfuscated within BMP images attached to the emails sent to the attackers.