The cyberespionage group known as OilRig and previously linked to Iran has been observed using a new Trojan in recent attacks, Palo Alto Networks reports.
A highly active group mainly targeting organizations in the Middle East, OilRig was attempting to deliver a Trojan called OopsIE in two attacks targeting an insurance agency and a financial institution in the Middle East. While one of the attacks relied on a variant of the ThreeDollars delivery document, the other attempted to deliver the malware to the victim directly, likely via a link in a spear phishing email.
The first attack occurred on January 8, 2018, and started with two emails being sent to two different email addresses at the same organization within a six minutes time span. Both messages originated from an email address associated with the Lebanese domain of a major global financial institution, but researchers from Palo Alto Networks believe the email address was spoofed.
On January 16, OilRig targeted an organization that it had also hit a year ago. The OopsIE Trojan was downloaded from the command and control (C&C) server directly, suggesting that the server was being used for staging as well. It also suggests that group might have changed tactics after the targeted organization took measures to counter known OilRig TTPs following last year’s incident.
The ThreeDollars samples collected in the new attacks were similar to those analyzed in October 2017, using the same lure image (albeit a cropped and edited version) that tricks users into enabling macros. While executing a malicious macro in the background, the malicious document displays a decoy image to lower suspicion, although it is a fake error message.
The macro creates a scheduled task that executes after one minute to decode base64 encoded data using the Certutil application, and another task that executes after two minutes, running a VBScript to execute the OopsIE Trojan and clean up the installation.
Packed with SmartAssembly, the Trojan is obfuscated with ConfuserEx and achieves persistence by creating a VBScript file. It also creates a scheduled task to run itself every three minutes. The malware communicates with the C&C over HTTP, using the InternetExplorer application object.
“The Trojan will construct specific URLs to communicate with the C2 server and parses the C2 server’s response looking for content within the tags <pre> and </pre>. The initial HTTP request acts as a beacon,” the researchers explain.
The Trojan extracts and loads an embedded assembly by concatenating the contents of two resources, a technique the OilRig group was already known to employ.
Based on responses received from the server, the Trojan can run a command, upload a file, or download a specified file.
In addition to the use of the ThreeDollars delivery document, the newly observed attacks overlap with previous incidents involving the OilRig group in that they use the C&C domain msoffice365cdn[.]com. The researchers also linked the domain’s registrant to the office365-management[.]com and office365-technical[.]info domains and believe the OilRig group is behind all of them. The IP msoffice365cdn[.]com resolves to was also associated with the group.
“This group has repeatedly shown evidence of a willingness to adapt and evolve their tactics, while also reusing certain aspects as well. We have now observed this adversary deploy a multitude of tools, with each appearing to be some form of iterative variation of something used in the past. However, although the tools themselves have morphed over time, the plays they have executed in their playbook largely remain the same when examined over the attack life cycle,” Palo Alto concludes.