The cyberespionage group OilRig was discovered attacking organizations in middle east using a new trojan called OopsIE.
The new malware was spotted in a recent attack against a insurance agency and a financial institution in the Middle East by OilRig APT group
According to Researchers from Palo Alto Networks “On January 8, 2018, Unit 42 observed the OilRig threat group carry out an attack on an insurance agency based in the Middle East. Just over a week later, on January 16, 2018, we observed an attack on a Middle Eastern financial institution. In both attacks, the OilRig group attempted to deliver a new Trojan that we are tracking as OopsIE.”
The insurance agency attack used a variant of the ThreeDollars delivery document. The same malicious document was used by OilRig threat group to deliver ISMInjector Trojan in earlier attacks against the various organization in the UAE government.
The attack started by sending two different emails to different email addresses at the same organization within a span of 6 minutes. The email address were spoofed and was associated with the Lebanese domain of a major global financial institution.
The email was sent with a subject line ‘Beirut Insurance Seminar Invitation’ and contained an attachment ‘Seminar-Invitation.doc’ which is the malicious ThreeDollars document.
In the second attack happened on January 16, 2018, the threat group attempt to deliver the malware directly to the target organization, likely via a link within an email.
The OopsIE trojan was directly downloaded from the command and control server and server was also used for staging. This is the second time OilRig target this organization, first one happened in 2017.
The macro creates a scheduled task which runs after waiting one minute to decode base64 encoded data using Certutil application. It also creates a second scheduled task which waits for two minutes and runs a VBScript to execute the OopsIE trojan and clean up the installation.
The OopsIE Trojan is packed with SmartAssembly and obfuscated with ConfuserEx v1.0.0. It creates a VBScript file to run persistently on the system.
The malware also creates a scheduled task to run itself every three minutes. It uses HTTP to communicate with its command and control server using InternetExplorer application object.
“The Trojan will construct specific URLs to communicate with the C2 server and parses the C2 server’s response looking for content within the tags <pre> and </pre>. The initial HTTP request acts as a beacon.”
According to researchers, the trojan is capable of run a command, upload a file and download a specific file.
“The OilRig group continues to remain a highly active adversary in the Middle East region. This group has repeatedly shown evidence of a willingness to adapt and evolve their tactics, while also reusing certain aspects as well. We have now observed this adversary deploy a multitude of tools, with each appearing to be some form of iterative variation of something used in the past. However, although the tools themselves have morphed over time, the plays they have executed in their playbook largely remain the same when examined over the attack life cycle.”