The STEALHOOK Backdoor and Privilege Escalation Tactics
After initial access—gained by exploiting vulnerable web servers—OilRig deploys the STEALHOOK backdoor to steal credentials and send them via Exchange servers to attacker-controlled email addresses. The group leverages ngrok, a remote management tool, to facilitate persistence and lateral movement within targeted networks. Privilege escalation is achieved by dropping psgfilter.dll, a password filter policy DLL, to extract plaintext credentials from domain controllers and local machines.
Figure 1. Attack chain – Trendmicro
Repeated Use of psgfilter.dll for Credential Theft
This technique of using psgfilter.dll was first observed in December 2022 during a separate campaign in the Middle East. OilRig continues to leverage this tool for plaintext password extraction and remote deployment, further solidifying their foothold in targeted networks. The threat actors encrypt the stolen credentials before transmitting them over networks to evade detection.