Iranian hacker group OilRig uses a new Trojan OopsIE in the recent attacks
Researchers at Unit 42, a Palo Alto Networks threat intelligence unit, recently discovered that OilRig, a hacker group associated with Iran, is currently using a new Trojan called “OopsIE,” an insurance agency in the Middle East and a financial institution that became The latest attack target.
Unit 42 pointed out that OilRig has been targeting Israel, the Middle East, and other countries for at least the attacks since 2015. It has created a fake VPN portal to distribute malware with legitimate digital signatures targeting government agencies in Saudi Arabia, Israel, UAE, Lebanon, Kuwait and Qatar, the United States and Turkey, financial institutions, Post offices and technology companies.
The attack on the insurer took place on January 8, and OilRig sent two different emails to the agency over a six-minute period, but the subject was “Beirut Insurance Seminar Invitation.”
OilRig uses different shipping addresses to play two different roles to increase credibility. From the domain point of view, both messages come from e-mail addresses associated with Lebanon’s domain names at major global financial institutions.
The email includes an attachment called “Seminar-Invitation.doc”, a malicious Microsoft Word document that was tracked as “ThreeDollars” by Unit 42 in August 2017. After analyzing this document, the researchers found a new payload and named it “OopsIE.”
Image: paloaltonetworks
In a January 16 attack, OilRig did not use the ThreeDollars document again but instead attempted to reach victims directly through links in emails. In this case, the Trojan virus is downloaded directly from the command and control (C&C) server.
Another interesting aspect of this attack was the attack on the financial institutions that hit them as early as a year ago, in January 2017, as victims of the OilRig attack. This repeated attack may indicate that OilRig has lost its foothold in the target organization, or it may be that the target organization may have a higher attack value.
Unit 42 said OilRig remains a hacking group active in the Middle East that poses a serious threat to national security in the region. Not only that, but the organization continues to grow and develop. In Unit 42’s observation, OilRig has deployed a number of more sophisticated hacking tools. These hacking tools are often variations of the tools used prior to OilRig, and although these tools have evolved over time, they remain somewhat constant in the form of attacks over each monitoring cycle.
Source: paloaltonetworks
