OopsIE

OopsIE is a Trojan used by OilRig to remotely execute commands as well as upload/download files to/from victims. [1]

ID: S0264
Type: MALWARE
Platforms: Windows
Version: 1.1

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface OopsIE uses the command prompt to execute commands on the victim's machine.[1][2]
Enterprise T1002 Data Compressed OopsIE compresses collected files with both the GZipStream class and a simple character replacement scheme before sending them to its C2 server.[1]
Enterprise T1132 Data Encoding OopsIE encodes data in hexadecimal format over the C2 channel.[1]
Enterprise T1074 Data Staged OopsIE stages the output from command execution and collected files in specific folders before exfiltration.[1]
Enterprise T1030 Data Transfer Size Limits OopsIE exfiltrates command output and collected files to its C2 server in 1500-byte blocks.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information OopsIE concatenates then decompresses multiple resources to load an embedded .Net Framework assembly.[1]
Enterprise T1041 Exfiltration Over Command and Control Channel OopsIE can upload files from the victim's machine to its C2 server.[1]
Enterprise T1107 File Deletion OopsIE has the capability to delete files and scripts from the victim's machine.[2]
Enterprise T1027 Obfuscated Files or Information OopsIE uses the Confuser protector to obfuscate an embedded .Net Framework assembly used for C2. OopsIE also encodes collected data in hexadecimal format before writing to files on disk and obfuscates strings.[1][2]
Enterprise T1105 Remote File Copy OopsIE can download files from its C2 server to the victim's machine.[1][2]
Enterprise T1053 Scheduled Task OopsIE creates a scheduled task to run itself every three minutes.[1][2]
Enterprise T1064 Scripting OopsIE creates and uses a VBScript as part of its persistent execution.[1][2]
Enterprise T1045 Software Packing OopsIE uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2.[1]
Enterprise T1071 Standard Application Layer Protocol OopsIE uses HTTP for C2 communications.[1][2]
Enterprise T1082 System Information Discovery OopsIE checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks.[2]
Enterprise T1124 System Time Discovery OopsIE checks to see if the system is configured with "Daylight" time and checks for a specific region to be set for the timezone.[2]
Enterprise T1497 Virtualization/Sandbox Evasion OopsIE performs several anti-VM and sandbox checks on the victim's machine. One technique the group has used was to perform a WMI query SELECT * FROM MSAcpi_ThermalZoneTemperature to check the temperature to see if it’s running in a virtual environment.[2]
Enterprise T1047 Windows Management Instrumentation OopsIE uses WMI to perform discovery techniques.[2]

Groups

Groups that use this software:

OilRig

References