VERY IMPORTANT

Since our first published analysis of the OilRig campaign in May 2016 , Unit42 has continued to monitor this group for new activity. In recent weeks we’ve discovered that the group have been actively updating their Clayslide delivery documents, as well as the Helminth backdoor used against victims. Additionally, the scope of organizations targeted by this group has expanded to not only include organizations within Saudi Arabia, but also a company in Qatar and government organizations in Turkey, Israel and the United States. The group behind the OilRig campaign continues to leverage spear-phishing emails with malicious Microsoft Excel documents to compromise victims. As an example, the following email was sent to a Turkish government organization using a lure of purported new portal logins for an airline’s website. (Please note that the sender email used in the figure below may have been spoofed.)