OopsIE

OopsIE is a Trojan used by OilRig to remotely execute commands as well as upload/download files to/from victims. [1]

ID: S0264
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 17 October 2018
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

OopsIE uses HTTP for C2 communications.[1][2]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

OopsIE compresses collected files with GZipStream before sending them to its C2 server.[1]

.003 Archive Collected Data: Archive via Custom Method

OopsIE compresses collected files with a simple character replacement scheme before sending them to its C2 server.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

OopsIE uses the command prompt to execute commands on the victim's machine.[1][2]

.005 Command and Scripting Interpreter: Visual Basic

OopsIE creates and uses a VBScript as part of its persistent execution.[1][2]

Enterprise T1132 .001 Data Encoding: Standard Encoding

OopsIE encodes data in hexadecimal format over the C2 channel.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

OopsIE stages the output from command execution and collected files in specific folders before exfiltration.[1]

Enterprise T1030 Data Transfer Size Limits

OopsIE exfiltrates command output and collected files to its C2 server in 1500-byte blocks.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

OopsIE concatenates then decompresses multiple resources to load an embedded .Net Framework assembly.[1]

Enterprise T1041 Exfiltration Over C2 Channel

OopsIE can upload files from the victim's machine to its C2 server.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

OopsIE has the capability to delete files and scripts from the victim's machine.[2]

Enterprise T1105 Ingress Tool Transfer

OopsIE can download files from its C2 server to the victim's machine.[1][2]

Enterprise T1027 Obfuscated Files or Information

OopsIE uses the Confuser protector to obfuscate an embedded .Net Framework assembly used for C2. OopsIE also encodes collected data in hexadecimal format before writing to files on disk and obfuscates strings.[1][2]

.002 Software Packing

OopsIE uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

OopsIE creates a scheduled task to run itself every three minutes.[1][2]

Enterprise T1082 System Information Discovery

OopsIE checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks.[2]

Enterprise T1124 System Time Discovery

OopsIE checks to see if the system is configured with "Daylight" time and checks for a specific region to be set for the timezone.[2]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

OopsIE performs several anti-VM and sandbox checks on the victim's machine. One technique the group has used was to perform a WMI query SELECT * FROM MSAcpi_ThermalZoneTemperature to check the temperature to see if it’s running in a virtual environment.[2]

Enterprise T1047 Windows Management Instrumentation

OopsIE uses WMI to perform discovery techniques.[2]

Groups That Use This Software

ID Name References
G0049 OilRig

[1]

References