OopsIE

OopsIE is a Trojan used by OilRig to remotely execute commands as well as upload/download files to/from victims. [1]

ID: S0264
Type: MALWARE
Platforms: Windows

Version: 1.1

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceOopsIE uses the command prompt to execute commands on the victim's machine.[1][2]
EnterpriseT1002Data CompressedOopsIE compresses collected files with both the GZipStream class and a simple character replacement scheme before sending them to its C2 server.[1]
EnterpriseT1132Data EncodingOopsIE encodes data in hexadecimal format over the C2 channel.[1]
EnterpriseT1074Data StagedOopsIE stages the output from command execution and collected files in specific folders before exfiltration.[1]
EnterpriseT1030Data Transfer Size LimitsOopsIE exfiltrates command output and collected files to its C2 server in 1500-byte blocks.[1]
EnterpriseT1140Deobfuscate/Decode Files or InformationOopsIE concatenates then decompresses multiple resources to load an embedded .Net Framework assembly.[1]
EnterpriseT1041Exfiltration Over Command and Control ChannelOopsIE can upload files from the victim's machine to its C2 server.[1]
EnterpriseT1107File DeletionOopsIE has the capability to delete files and scripts from the victim's machine.[2]
EnterpriseT1027Obfuscated Files or InformationOopsIE uses the Confuser protector to obfuscate an embedded .Net Framework assembly used for C2. OopsIE also encodes collected data in hexadecimal format before writing to files on disk and obfuscates strings.[1][2]
EnterpriseT1105Remote File CopyOopsIE can download files from its C2 server to the victim's machine.[1][2]
EnterpriseT1053Scheduled TaskOopsIE creates a scheduled task to run itself every three minutes.[1][2]
EnterpriseT1064ScriptingOopsIE creates and uses a VBScript as part of its persistent execution.[1][2]
EnterpriseT1045Software PackingOopsIE uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2.[1]
EnterpriseT1071Standard Application Layer ProtocolOopsIE uses HTTP for C2 communications.[1][2]
EnterpriseT1082System Information DiscoveryOopsIE checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks.[2]
EnterpriseT1124System Time DiscoveryOopsIE checks to see if the system is configured with "Daylight" time and checks for a specific region to be set for the timezone.[2]
EnterpriseT1497Virtualization/Sandbox EvasionOopsIE performs several anti-VM and sandbox checks on the victim's machine. One technique the group has used was to perform a WMI query SELECT * FROM MSAcpi_ThermalZoneTemperature to check the temperature to see if it’s running in a virtual environment.[2]
EnterpriseT1047Windows Management InstrumentationOopsIE uses WMI to perform discovery techniques.[2]

Groups

Groups that use this software:

OilRig

References