Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Iranian Hackers Improve Recently Used Cyber Weapon

The Iran-linked cyberespionage group OilRig was recently observed using a variant of the OopsIE Trojan that was updated with new evasion capabilities, Palo Alto Networks reports.

The Iran-linked cyberespionage group OilRig was recently observed using a variant of the OopsIE Trojan that was updated with new evasion capabilities, Palo Alto Networks reports.

The group has been persistently targeting government entities in the Middle East with previously identified tools and tactics, including the OopsIE Trojan that was first identified in February 2018. Unlike previously observed samples, the new iteration packs anti-analysis and anti-virtual machine capabilities, which allows it to further evade detection.

The attacks involving this Trojan variant were detected in July, as part of a campaign that also delivered the QUADAGENT backdoor. However, each malicious program was targeting a different organization.

As part of that wave of attacks, the hackers were using compromised email accounts at a government organization in the Middle East to send spear phishing emails delivering the OopsIE Trojan. The attacks targeted a government agency within the same nation state, Palo Alto Networks’ researchers found.

The email was sent to the email address of a user group that had published documents regarding business continuity management on the Internet. The attackers used lures specifically crafted for this assault.

The OopsIE Trojan begins execution by performing multiple anti-virtualization and sandbox checks. The malware would check CPU fan information, temperature, mouse pointer, hard disk, motherboard, time zone, and human interaction, while also looking for DLLs associated with Sandboxie, VBox, and VMware.

While some of these techniques have been observed in other malware before, OopsIE appears to be the first to check the CPU fan. The CPU temperature check was previously seen being used by GravityRAT.

The time zone check is also of interest, as the Trojan would only execute if it finds strings for Iran, Arab, Arabia and Middle East. These point to five time zones that encompass 10 countries, showing that the malware is highly targeted.

Advertisement. Scroll to continue reading.

The updated Trojan variant packs most of the functionality previously associated with the threat, but also includes obfuscation, in addition to requiring the user to interact with an error dialog box (the last in the previously mentioned series of checks).

Next, the malware sleeps for two seconds, then moves itself to the App Data folder and creates a scheduled task to run a VBScript that ensures persistence. The process attempts to run the Trojan every three minutes.

The malware then starts communication with the command and control (C&C) server (it uses the www.windowspatch[.]com domain as C&C).

The malware includes support for various commands that it receives from the server. It can run the command, write the output to a file and send it to the server; download a file to the system; read a specified file and upload its contents, and uninstall itself.

“Within the time frame we have been tracking the OilRig group, they have repeatedly shown a willingness to add less commonly found functionality to their tools, such as their heavy use of DNS tunneling in their backdoors or adding authentication to their webshells. This attack is no different, now adding anti-analysis capabilities into their tools. This adversary is highly resourceful and continues to adapt over time,” Palo Alto Networks concludes.

Related: Iranian Hackers Use QUADAGENT Backdoor in Recent Attacks

Related: Iran-linked Hackers Adopt New Data Exfiltration Methods

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.