OopsIE

OopsIE is a Trojan used by OilRig to remotely execute commands as well as upload/download files to/from victims. [1]

ID: S0264
Type: MALWARE
Platforms: Windows
Version: 1.1

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

OopsIE uses the command prompt to execute commands on the victim's machine.[1][2]

Enterprise T1002 Data Compressed

OopsIE compresses collected files with both the GZipStream class and a simple character replacement scheme before sending them to its C2 server.[1]

Enterprise T1132 Data Encoding

OopsIE encodes data in hexadecimal format over the C2 channel.[1]

Enterprise T1074 Data Staged

OopsIE stages the output from command execution and collected files in specific folders before exfiltration.[1]

Enterprise T1030 Data Transfer Size Limits

OopsIE exfiltrates command output and collected files to its C2 server in 1500-byte blocks.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

OopsIE concatenates then decompresses multiple resources to load an embedded .Net Framework assembly.[1]

Enterprise T1041 Exfiltration Over Command and Control Channel

OopsIE can upload files from the victim's machine to its C2 server.[1]

Enterprise T1107 File Deletion

OopsIE has the capability to delete files and scripts from the victim's machine.[2]

Enterprise T1027 Obfuscated Files or Information

OopsIE uses the Confuser protector to obfuscate an embedded .Net Framework assembly used for C2. OopsIE also encodes collected data in hexadecimal format before writing to files on disk and obfuscates strings.[1][2]

Enterprise T1105 Remote File Copy

OopsIE can download files from its C2 server to the victim's machine.[1][2]

Enterprise T1053 Scheduled Task

OopsIE creates a scheduled task to run itself every three minutes.[1][2]

Enterprise T1064 Scripting

OopsIE creates and uses a VBScript as part of its persistent execution.[1][2]

Enterprise T1045 Software Packing

OopsIE uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2.[1]

Enterprise T1071 Standard Application Layer Protocol

OopsIE uses HTTP for C2 communications.[1][2]

Enterprise T1082 System Information Discovery

OopsIE checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks.[2]

Enterprise T1124 System Time Discovery

OopsIE checks to see if the system is configured with "Daylight" time and checks for a specific region to be set for the timezone.[2]

Enterprise T1497 Virtualization/Sandbox Evasion

OopsIE performs several anti-VM and sandbox checks on the victim's machine. One technique the group has used was to perform a WMI query SELECT * FROM MSAcpi_ThermalZoneTemperature to check the temperature to see if it’s running in a virtual environment.[2]

Enterprise T1047 Windows Management Instrumentation

OopsIE uses WMI to perform discovery techniques.[2]

Groups That Use This Software

ID Name References
G0049 OilRig [1]

References