New OilRig APT campaign leverages a new variant of the OopsIE Trojan

Haythem Elmir

The Iran-linked APT group OilRig was recently observed using a new variant of the OopsIE Trojan that implements news evasion capabilities.

Experts at Palo Alto observed a new campaign carried out by the Iran-linked APT group OilRig that was leveraging on a new variant of the OopsIE Trojan.

The OilRig hacker group is an Iran-linked APT that has been around since at least 2015, since then it targeted mainly organizations in the financial and government sectors, in the United States and Middle Eastern countries.

The OopsIE Trojan is one of the malware in the APT’s arsenal that was detected for the first time in February 2018.

In July the hackers leveraged a new variant of the Trojan that implements new anti-analysis and evasion detection capabilities.

The OopsIE variant used in the last campaign begins its execution by performing a series of anti-analysis checks.

It would check CPU fan information (it is the first time a malware checks CPU fan info), temperature, mouse pointer, hard disk, motherboard, time zone, and human interaction, while also looking for DLLs associated with Sandboxie, VBox, and VMware.

The campaign was also delivering the QUADAGENT backdoor, anyway, experts noticed the group using a different malware for each targeted organization.

“In July 2018, we reported on a wave of OilRig attacks delivering a tool called QUADAGENT involving a Middle Eastern government agency. During that wave, we also observed OilRig leveraging additional compromised email accounts at the same government organization to send spear phishing emails delivering the OopsIE trojan as the payload instead of QUADAGENT.” reads the analysis published by Paolo Alto Network

“The OopsIE attack also targeted a government agency within the same nation state, though a different organization than the one targeted delivering QUADAGENT.”

The hackers launched spear phishing attacks against a government agency using compromised email accounts at a government organization in the same country in the Middle East.

The OilRig hackers sent the phishing messages to the email address of a user group that had published documents regarding business continuity management,  the subject of the messages was in Arabic, which translated to “Business continuity management training”.

The new OopsIE variant would check the TimeZone.CurrentTimeZone.DaylightName property, it runs only in presence of strings for Iran, Arab, Arabia, and Middle East.

The attack is highly targeted because the previous check allows hitting only five time zones that encompass 10 countries.

Oilrig OopsIE

The new variant connects the www.windowspatch[.]com domain as domain and also sleeps for two seconds, then moves itself to the App Data folder and creates a scheduled task to run a VBScript to gain persistence every three minutes.

The malware supports various commands, it can write the output to a file and send it to the server, download a file to the system, read a specified file and upload its contents, and uninstall itself.

“The OilRig group remains a persistent adversary in the Middle East region. They continue to iterate and add capabilities to their tools while still functionally using the same tactics over and over again.” concludes the report.

“Within the time frame we have been tracking the OilRig group, they have repeatedly shown a willingness to add less commonly found functionality to their tools, such as their heavy use of DNS tunneling in their backdoors or adding authentication to their webshells. This attack is no different, now adding anti-analysis capabilities into their tools. This adversary is highly resourceful and continues to adapt over time,” Palo Alto Networks concludes.

To read the original article:

Laisser un commentaire

Next Post

FIN6 returns to attack retailer point of sale systems in US, Europe

A new malware campaign has been detected which is targeting point-of-sale (PoS) systems across the United States and Europe. On Wednesday, researchers from IBM X-Force IRIS said the attacks have been attributed to the FIN6 cybercriminal group. This is only the second time that a campaign has been documented which appears to […]