OilRig Malware Campaign Updates Toolset and Expands Targets

Josh Grunzweig

Category: Unit 42

Since our first published analysis of the OilRig campaign in May 2016 , we have continued to monitor this group for new activity. In recent weeks we’ve discovered that the group have been actively updating their Clayslide delivery documents, as well as the Helminth backdoor used against victims. Additionally, the scope of organizations targeted by this group has expanded to not only include organizations within Saudi Arabia, but also a company in Qatar and government organizations in Turkey, Israel and the United States.

Expanded Targeting

The group behind the OilRig campaign continues to leverage spear-phishing emails with malicious Microsoft Excel documents to compromise victims. As an example, the following email was sent to a Turkish government organization using a lure of purported new portal logins for an airline’s website. (Please note that the sender email used in the figure below may have been spoofed.)

Figure 1 Phishing email sent to Turkish government organization

When the users.xls file is executed and macros are enabled, the victim is presented with the following decoy document.


Figure 2 Content contained in malicious Helminth XLS file

This same document content was used with Helminth samples targeting government organizations in multiple nations. For those particular attacks, the following filenames were witnessed:

  • Help-Yemen.xls
  • users.xls

In addition to these instances, multiple Qatari organizations were the subject to spear phishing attacks carrying Helminth samples earlier this year. In those cases, the documents used to carry the malicious macro code were very specific to the organization receiving them and in some cases were sent from partner organizations that already had a relationship with the recipient.

Updates to Toolset

In recent months, we’ve tracked a number of changes to the malware used by the actors responsible for OilRig. In the past five months, we’ve identified four distinct variants, each of which drops different filenames upon execution. These variants use the following filenames when dropped. (Please note that FireEye was notified about the use of their company name in the malware upon discovery.)

  • update.vbs / dns.ps1
  • fireeye.vbs / fireeye.ps1
  • upd.vbs / dn.ps1
  • komisova.vbs / komisova.ps1

The following timeline shows the prevalence of each variant.


Figure 6 Helminth variants over time

As we can see in the above timeline, the attackers shifted from the update.vbs variant of their malware in late May 2016 to use the fireeye.vbs variant. More recently, the upd.vbs variant was discovered, which appears to be an actively developed copy. Comments and other artifacts were discovered in this variant, which will be discussed further later in this post. More recently, the komisova.vbs variant was discovered to be used.

Changes in VBScripts Between Variants

Overall, there are minimal changes in the dropped VBS files between variants. As a reminder, the VBS script is responsible for communicating with a remote server via HTTP. The script repeatedly attempts to download a file from the remote server, and proceeds to execute it when available. The output of this file is then uploaded via another HTTP request. It will also execute the PowerShell script that is dropped by the Clayslide Excel documents.

Overall, there are minor differences between the variants observed. The main differences appear to be in the domains and IP addresses used. The following URLs are used by each:


  • hxxp://winodwsupdates[.]me/counter.aspx?req=
  • hxxp://go0gIe[.]com/sysupdate.aspx?req=


  • hxxp://update-kernal[.]net/update-index.aspx?req=
  • hxxp://upgradesystems[.]info/upgrade-index.aspx?req=
  • hxxp://yahoooooomail[.]com/update-index.aspx?req=
  • hxxp://googleupdate[.]download/update-index.aspx?req=


  • hxxp://83.142.230[.]138:7020/update.php?req=


  • hxxp://googleupdate[.]download/update-index.aspx?req=

A few things to note include the fact that the komisova.vbs variant uses the same URL witnessed in the fireeye.vbs variant. It’s worth pointing out that this domain was only seen in the most recent fireeye.vbs variants, so it’s very possible that it was used in a transition phase when the attackers were switching over to komisova.

We previously mentioned that the Excel file dropping upd.vbs was likely a development version. Evidence supporting this claim includes the fact that an IP address connection using a non-standard port was used for this file. One particularly interesting feature of this IP address is that it has ties to the Remexi report issued by Symantec in late 2015. This is in-line with previous evidence suggesting an Iranian-based actor behind these attacks.


Figure 7 Ties between IP address and Remexi (Shown in PassiveTotal)

The underlying code of upd.vbs is much cleaner when comparing it against the other variants. This can be seen below. This provides additional evidence that it is being actively developed.


Figure 8 Differences between upd.vbs and komisova.vbs

Another minor difference observed in the upd.vbs variant is the location of files that are downloaded. The three other variants all place downloaded file within a subfolder that resides in %PUBLIC%/Libraries. However, this particular one-off places its files within subfolders that reside in %USERPROFILE%/AppData/Local/Microsoft/Media/.

Changes in PS1 Between Variants

Similar to the VBS file, the PS1 file will also communicate with a remote server. Unlike the VBS file, the PS1 file uses DNS instead of HTTP. Commands and file locations are received by the remote server, executed, and the output of these commands is in turn uploaded via additional DNS requests. For an in-depth analysis on how this occurs, please refer to our previous OilRig blog post. Overall, there are very minor differences between the dns, fireeye, and komisova PS1 variants. However, the dn.ps1 variant looks to have been updated considerably. In addition to these updates, the file is also heavily commented, providing further evidence that this particular file is being actively developed.


Figure 9 Beginning of dn.ps1 variant

The dn.ps1 variant will perform DNS queries with the following characteristics:

In the above queries, the ‘rne’ command will ask the remote server if a normal file is available for download. If it is, the server will respond with a response of ‘OK’, followed by the filename. In such a situation, the malware will perform the ‘rd’ command, which will actually download the file in question.

Similarly, the same execution flow is seen for the ‘bne’ and ‘bd’ commands respectively, only this particular operation is looking for a batch file. In the event the malware is downloading files, it will look for a string of ‘EOFEOF’ to signal the end of the data stream.

The ‘u’ command is used to upload data that is generated from any provided files or scripts. Data is uploaded in chunks, with the ‘byte_position’ variable holding the current byte position of the uploaded file.

We ran this particular variant for a number of days, and were able to solicit the attackers to interact with our honeypot. A Python script was used to parse the collected PCAP, with the following results (truncated for brevity):

As we can see, a number of interesting commands were received by the attackers, including attempts to communicate with remote FTP servers and various reconnaissance commands. These commands came at seemingly random intervals, indicating they likely resulted from an actual attacker issuing them, versus an automated system.


The attackers using the Helminth and Clayslide malware families continue to target various high value companies and organizations across the globe using their customized malware. This malware is under active development and continues to be updated and improved upon, as witnessed in the files discussed in this blog post. While the malware deployed is not terribly sophisticated, it uses techniques such as DNS command and control (C2) that allows it to stay under the radar at many establishments.

Palo Alto Networks customers are protected against this threat in the following ways:

  • WildFire identifies all Helminth and Clayslide samples as malicious
  • Domains identified as command and control servers are flagged as malicious
  • AutoFocus tags Helminth and Clayslide may be used to track this group

Indicators of Compromise


C2 Servers


File Paths


Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42