S0264 OopsIE
OopsIE is a Trojan used by OilRig to remotely execute commands as well as upload/download files to/from victims. 1
| Item | Value |
|---|---|
| ID | S0264 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 17 October 2018 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | OopsIE uses HTTP for C2 communications.12 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | OopsIE compresses collected files with GZipStream before sending them to its C2 server.1 |
| enterprise | T1560.003 | Archive via Custom Method | OopsIE compresses collected files with a simple character replacement scheme before sending them to its C2 server.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | OopsIE uses the command prompt to execute commands on the victim’s machine.12 |
| enterprise | T1059.005 | Visual Basic | OopsIE creates and uses a VBScript as part of its persistent execution.12 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | OopsIE encodes data in hexadecimal format over the C2 channel.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | OopsIE stages the output from command execution and collected files in specific folders before exfiltration.1 |
| enterprise | T1030 | Data Transfer Size Limits | OopsIE exfiltrates command output and collected files to its C2 server in 1500-byte blocks.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | OopsIE concatenates then decompresses multiple resources to load an embedded .Net Framework assembly.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | OopsIE can upload files from the victim’s machine to its C2 server.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | OopsIE has the capability to delete files and scripts from the victim’s machine.2 |
| enterprise | T1105 | Ingress Tool Transfer | OopsIE can download files from its C2 server to the victim’s machine.12 |
| enterprise | T1027 | Obfuscated Files or Information | OopsIE uses the Confuser protector to obfuscate an embedded .Net Framework assembly used for C2. OopsIE also encodes collected data in hexadecimal format before writing to files on disk and obfuscates strings.12 |
| enterprise | T1027.002 | Software Packing | OopsIE uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | OopsIE creates a scheduled task to run itself every three minutes.12 |
| enterprise | T1082 | System Information Discovery | OopsIE checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks.2 |
| enterprise | T1124 | System Time Discovery | OopsIE checks to see if the system is configured with “Daylight” time and checks for a specific region to be set for the timezone.2 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | OopsIE performs several anti-VM and sandbox checks on the victim’s machine. One technique the group has used was to perform a WMI query SELECT * FROM MSAcpi_ThermalZoneTemperature to check the temperature to see if it’s running in a virtual environment.2 |
| enterprise | T1047 | Windows Management Instrumentation | OopsIE uses WMI to perform discovery techniques.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0049 | OilRig | 1 |
References
-
Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018. ↩↩↩↩↩↩↩↩↩↩↩