The OilRig hacker group is an Iran-linked APT that has been around since at least 2015, since then it targeted mainly organizations in the financial and government sectors, in the United States and Middle Eastern countries.
The OopsIE Trojan is one of the malware in the APT’s arsenal that was detected for the first time in February 2018.
In July the hackers leveraged a new variant of the Trojan that implements new anti-analysis and evasion detection capabilities.
The OopsIE variant used in the last campaign begins its execution by performing a series of anti-analysis checks.
It would check CPU fan information (it is the first time a malware checks CPU fan info), temperature, mouse pointer, hard disk, motherboard, time zone, and human interaction, while also looking for DLLs associated with Sandboxie, VBox, and VMware.
The campaign was also delivering the QUADAGENT backdoor, anyway, experts noticed the group using a different malware for each targeted organization.
“In July 2018, we reported on a wave of OilRig attacks delivering a tool called QUADAGENT involving a Middle Eastern government agency. During that wave, we also observed OilRig leveraging additional compromised email accounts at the same government organization to send spear phishing emails delivering the OopsIE trojan as the payload instead of QUADAGENT.” reads the analysis published by Paolo Alto Networks.
“The OopsIE attack also targeted a government agency within the same nation state, though a different organization than the one targeted delivering QUADAGENT.”
The hackers launched spear phishing attacks against a government agency using compromised email accounts at a government organization in the same country in the Middle East.
The OilRig hackers sent the phishing messages to the email address of a user group that had published documents regarding business continuity management, the subject of the messages was in Arabic, which translated to “Business continuity management training”.
The new OopsIE variant would check the TimeZone.CurrentTimeZone.DaylightName property, it runs only in presence of strings for Iran, Arab, Arabia, and Middle East.
The attack is highly targeted because the previous check allows hitting only five time zones that encompass 10 countries.
The new variant connects the www.windowspatch[.]com domain as domain and also sleeps for two seconds, then moves itself to the App Data folder and creates a scheduled task to run a VBScript to gain persistence every three minutes.
The malware supports various commands, it can write the output to a file and send it to the server, download a file to the system, read a specified file and upload its contents, and uninstall itself.
“The OilRig group remains a persistent adversary in the Middle East region. They continue to iterate and add capabilities to their tools while still functionally using the same tactics over and over again.” concludes the report.
“Within the time frame we have been tracking the OilRig group, they have repeatedly shown a willingness to add less commonly found functionality to their tools, such as their heavy use of DNS tunneling in their backdoors or adding authentication to their webshells. This attack is no different, now adding anti-analysis capabilities into their tools. This adversary is highly resourceful and continues to adapt over time,” Palo Alto Networks concludes.