The cyberespionage group known as OilRig and previously linked to Iran has been observed using a new Trojan in recent attacks, Palo Alto Networks reports.
A highly active group mainly targeting organizations in the Middle East, OilRig was attempting to deliver a Trojan called OopsIE in two attacks targeting an insurance agency and a financial institution in the Middle East. While one of the attacks relied on a variant of the ThreeDollars delivery document, the other attempted to deliver the malware to the victim directly, likely via a link in a spear phishing email.
The first attack occurred on January 8, 2018, and started with two emails being sent to two different email addresses at the same organization within a six minutes time span. Both messages originated from an email address associated with the Lebanese domain of a major global financial institution, but researchers from Palo Alto Networks believe the email address was spoofed.
On January 16, OilRig targeted an organization that it had also hit a year ago. The OopsIE Trojan was downloaded from the command and control (C&C) server directly, suggesting that the server was being used for staging as well. It also suggests that group might have changed tactics after the targeted organization took measures to counter known OilRig TTPs following last year’s incident.
The ThreeDollars samples collected in the new attacks were similar to those analyzed in October 2017, using the same lure image (albeit a cropped and edited version) that tricks users into enabling macros. While executing a malicious macro in the background, the malicious document displays a decoy image to lower suspicion, although it is a fake error message.
The macro creates a scheduled task that executes after one minute to decode base64 encoded data using the Certutil application, and another task that executes after two minutes, running a VBScript to execute the OopsIE Trojan and clean up the installation.
Packed with SmartAssembly, the Trojan is obfuscated with ConfuserEx and achieves persistence by creating a VBScript file. It also creates a scheduled task to run itself every three minutes. The malware communicates with the C&C over HTTP, using the InternetExplorer application object.
“The Trojan will construct specific URLs to communicate with the C2 server and parses the C2 server’s response looking for content within the tags <pre> and </pre>. The initial HTTP request acts as a beacon,” the researchers explain.
The Trojan extracts and loads an embedded assembly by concatenating the contents of two resources, a technique the OilRig group was already known to employ.
Based on responses received from the server, the Trojan can run a command, upload a file, or download a specified file.
In addition to the use of the ThreeDollars delivery document, the newly observed attacks overlap with previous incidents involving the OilRig group in that they use the C&C domain msoffice365cdn[.]com. The researchers also linked the domain’s registrant to the office365-management[.]com and office365-technical[.]info domains and believe the OilRig group is behind all of them. The IP msoffice365cdn[.]com resolves to was also associated with the group.
“This group has repeatedly shown evidence of a willingness to adapt and evolve their tactics, while also reusing certain aspects as well. We have now observed this adversary deploy a multitude of tools, with each appearing to be some form of iterative variation of something used in the past. However, although the tools themselves have morphed over time, the plays they have executed in their playbook largely remain the same when examined over the attack life cycle,” Palo Alto concludes.
Related: Iranian Hackers Target IIS Web Servers With New Backdoor
Related: Iranian Cyberspies Exploit Recently Patched Office Flaw

More from Ionut Arghire
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Florida Hospital Cancels Procedures, Diverts Patients Following Cyberattack
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
Latest News
- Comcast Wants a Slice of the Enterprise Cybersecurity Business
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Cyber Insights 2023 | Zero Trust and Identity and Access Management
- Cyber Insights 2023 | The Coming of Web3
- European Police Arrest 42 After Cracking Covert App
