| Enterprise |
T1071 |
.001 |
Application Layer Protocol: Web Protocols |
During Outer Space, OilRig used HTTP to communicate between installed backdoors and compromised servers including via the Microsoft Exchange Web Services API.[1] |
| Enterprise |
T1217 |
Browser Information Discovery |
During Outer Space, OilRig used a Chrome data dumper named MKG.[1] |
|
| Enterprise |
T1059 |
.005 |
Command and Scripting Interpreter: Visual Basic |
During Outer Space, OilRig used VBS droppers to deploy malware.[1] |
| Enterprise |
T1584 |
.004 |
Compromise Infrastructure: Server |
During Outer Space, OilRig compromised an Israeli human resources site to use as a C2 server.[1] |
| Enterprise |
T1587 |
.001 |
Develop Capabilities: Malware |
For Outer Space, OilRig created new implants including the Solar backdoor.[1] |
| Enterprise |
T1585 |
.003 |
Establish Accounts: Cloud Accounts |
During Outer Space, OilRig created M365 email accounts to be used as part of C2.[1] |
| Enterprise |
T1105 |
Ingress Tool Transfer |
During Outer Space, OilRig downloaded additional tools to comrpomised infrastructure.[1] |
|
| Enterprise |
T1027 |
.013 |
Obfuscated Files or Information: Encrypted/Encoded File |
During Outer Space, OilRig deployed VBS droppers with obfuscated strings.[1] |