OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government
Tags
maec-delivery-vectors: Watering Hole
attack-pattern: Data Dns - T1071.004 Dns - T1590.002 Domains - T1583.001 Domains - T1584.001 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Scheduled Task - T1053.005 Server - T1583.004 Server - T1584.004 Tool - T1588.002 Powershell - T1086 Scheduled Task - T1053
Show in Graph
Common Information
Type Value
UUID ea63fb75-da75-4238-9f41-bff328956446
Fingerprint 169cbd51abf08795
Analysis status DONE
Considered CTI value 2
Text language
Published Sept. 12, 2018, 11 p.m.
Added to db Sept. 26, 2022, 9:30 a.m.
Last updated Nov. 19, 2024, 3:59 p.m.
Headline OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government
Title OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government
Detected Hints/Tags/Attributes 57/2/12
Source URLs
Redirection Url
Details Source https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/
Details Source https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/
URL Provider
Details Provider Source level domain
Details paloaltonetworks.com unit42.paloaltonetworks.com
Details paloaltonetworks.com researchcenter.paloaltonetworks.com
Attributes
Details Type #Events CTI Value
Details Domain 5 
withyourface.com
Details File 3 
15.doc
Details File 1 
c:\programdata\windowsapppool\apppool.vbs
Details File 1 
c:\programdata\windowsapppool\apppool.ps1
Details File 3 
apppool.vbs
Details File 2134 
cmd.exe
Details File 2 
apppool.ps1
Details File 1212 
powershell.exe
Details sha256 3 
7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00
Details sha256 1 
c0018a2e36c7ef8aa15b81001a19c4127ad7cd21ae410c1f854e5dadfa98b322
Details sha256 2 
d5c1822a36f2e7107d0d4c005c26978d00bcb34a587bd9ccf11ae7761ec73fb7
Details IPv4 2 
99.250.250.199