Iran-linked 'OilRig' targeting Middle Eastern government, improves Oopsie Trojan's evasion techniques

• Palo Alto Network's Unit 42 observed the group deploying a new variant of their OopsIE Trojan that comes with new anti-analysis and anti-virtual machine capabilities.
• The OilRig has remained a persistent threat group in the region that leverages the same tactics to target victims, but constantly updates their tools in new campaigns.

The Iran-linked OilRig group is continuously evolving and updating their tools and tactics in attacks targeting government agencies in the Middle East. Palo Alto Network's Unit 42 has observed the group deploying a new variant of their OopsIE Trojan that comes with new evasion techniques including anti-analysis and anti-virtual machine capabilities.

The new OopsIE variant is deployed via a spear phishing email that includes a social engineering lure designed to trick the victim into executing a malicious attachment.

Unit 42 observed a string of OilRig attacks in July targeting an unidentified Middle Easten government agency to deliver a tool called Quadagent. Researchers noted the group was also using additional compromised email accounts belonging to the government organization to distribute spear phishing emails that deployed the OopsIE Trojan as well.

"The OopsIE attack also targeted a government agency within the same nation state, though a different organization than the one targeted delivering Quadagent," Unit 42 wrote in a technical breakdown of the new OilRig campaign. "The email subject was in Arabic, which translated to 'Business continuity management training'.

"Based on open source data collection, it appears the targeted group had publicly published several documents regarding business continuity management on the Internet, indicating the lures were purposefully crafted for this specific attack."

New evasion techniques and checks

Once successfully executed on a targeted system, the new OopsIE variant first performs multiple anti-VM and sandbox checks including a fan, temperature, hard disk, mother board and human interaction check. If it happens to detect any relevant software or behavior, the Trojan exits without running any code.

Although most of these evasion techniques and checks have been observed in other malware families, this was the first time researchers noticed a CPU fan check. Meanwhile, the CPU temperature check has been previously observed in GravityRAT, a malware that checks the temperature of a system to detect the presence of a virtual machine and sidestep further analysis by researchers.

The OopsIE Trojan also performs a time zone check and will not execute its functional code if the system does not have a specific time zone set. The Trojan checks if the TimeZone.CurrentTimeZone.DaylightName property matches one of five time zones that encompass 10 countries in the Middle East region.

"The fact that the Trojan will not operate on systems that are not configured with these time zones suggests that this is a highly targeted attack focused on a specific subset of target nations," researchers said.

Constant and persistent threat in the region

Unit 42 believes the OilRig will continue to be a persistent threat group in the Middle East region, continuously expanding and upgrading their cyber arsenal whilst still using the same techniques to target victims.

"Within the time frame we have been tracking the OilRig group, they have repeatedly shown a willingness to add less commonly found functionality to their tools, such as their heavy use of DNS tunneling in their backdoors or adding authentication to their webshells," researchers said. "This attack is no different, now adding anti-analysis capabilities into their tools. This adversary is highly resourceful and continues to adapt over time. However, the tactics they continue to deploy are generally unsophisticated, and simple security hygiene would help organizations protect themselves against this threat."