The Iran-linked cyberespionage group OilRig was recently observed using a variant of the OopsIE Trojan that was updated with new evasion capabilities, Palo Alto Networks reports.
The group has been persistently targeting government entities in the Middle East with previously identified tools and tactics, including the OopsIE Trojan that was first identified in February 2018. Unlike previously observed samples, the new iteration packs anti-analysis and anti-virtual machine capabilities, which allows it to further evade detection.
The attacks involving this Trojan variant were detected in July, as part of a campaign that also delivered the QUADAGENT backdoor. However, each malicious program was targeting a different organization.
As part of that wave of attacks, the hackers were using compromised email accounts at a government organization in the Middle East to send spear phishing emails delivering the OopsIE Trojan. The attacks targeted a government agency within the same nation state, Palo Alto Networks’ researchers found.
The email was sent to the email address of a user group that had published documents regarding business continuity management on the Internet. The attackers used lures specifically crafted for this assault.
The OopsIE Trojan begins execution by performing multiple anti-virtualization and sandbox checks. The malware would check CPU fan information, temperature, mouse pointer, hard disk, motherboard, time zone, and human interaction, while also looking for DLLs associated with Sandboxie, VBox, and VMware.
While some of these techniques have been observed in other malware before, OopsIE appears to be the first to check the CPU fan. The CPU temperature check was previously seen being used by GravityRAT.
The time zone check is also of interest, as the Trojan would only execute if it finds strings for Iran, Arab, Arabia and Middle East. These point to five time zones that encompass 10 countries, showing that the malware is highly targeted.
The updated Trojan variant packs most of the functionality previously associated with the threat, but also includes obfuscation, in addition to requiring the user to interact with an error dialog box (the last in the previously mentioned series of checks).
Next, the malware sleeps for two seconds, then moves itself to the App Data folder and creates a scheduled task to run a VBScript that ensures persistence. The process attempts to run the Trojan every three minutes.
The malware then starts communication with the command and control (C&C) server (it uses the www.windowspatch[.]com domain as C&C).
The malware includes support for various commands that it receives from the server. It can run the command, write the output to a file and send it to the server; download a file to the system; read a specified file and upload its contents, and uninstall itself.
“Within the time frame we have been tracking the OilRig group, they have repeatedly shown a willingness to add less commonly found functionality to their tools, such as their heavy use of DNS tunneling in their backdoors or adding authentication to their webshells. This attack is no different, now adding anti-analysis capabilities into their tools. This adversary is highly resourceful and continues to adapt over time,” Palo Alto Networks concludes.