OilRig’s Poison Frog – Old Samples, Same Trick


OilRig’s Poison Frog – Old Samples, Same Trick (Dec 17, 2019)

Securelist have released a retrospective analysis of activity conducted by OilRig. The researchers discovered new samples but also found some of the first Poison Frog backdoor samples. One of the earliest Poison Frog samples uses poison-frog[.]club as the Command and Control (C2) domain. OilRig developers disguised the malware as the legitimate Cisco AnyConnect application. OilRig is described as sloppy by researchers as in one sample, a typo of powershell “poweeershell.exe” prevented the sample from being executed properly. Many samples also still had the Program Database (PDB) path inside the binary.

Recommendation: Threat intelligence researchers from are always attempting to figure out what malicious actors are up to, and what they have done in the past to better inform how and who they may attack in the future. Despite OilRig being described as sloppy, and making mistakes, understanding the groups evolution serves to present insight into the potential motivations and tactics of that group. If something changes it can signify an altered objective, alignment or team structure and skillset. OilRigs past mistakes tells us that despite these mistakes, the group has been successful and persistent in their activity. Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defence mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.