OopsIE

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
OopsIE is a sophisticated malware variant that has been utilized in cyber-attack campaigns against various organizations, including government agencies. The Trojan initiates its execution by conducting a series of anti-VM and sandbox checks, aiming to evade detection by security systems. It further verifies whether it's running on a virtual machine by checking if the result of a specific query returns more than 0 elements. This variant of OopsIE also employs the output of the 'whoami' command as a parameter within the URL when communicating with its Command and Control (C2) server, a deviation from previous versions which used the hostname and username from environment variables. In August 2023, OopsIE was notably implicated in an automated copyright strike incident involving YouTubers and Guinness World Records, as reported by Techdirt. Furthermore, during a subsequent wave of attacks, the OilRig hacking group leveraged compromised email accounts within a targeted government organization to send spear-phishing emails, delivering the OopsIE Trojan as the payload instead of the QUADAGENT malware. The process through which OopsIE communicates with its C2 server resembles the one used by previous variants, and it attempts to run the Trojan every three minutes, relying heavily on this scheduled task for continuous execution. Palo Alto Networks customers are protected from the OilRig attack campaign and the OopsIE malware through unspecified means. The OopsIE variant includes a command handler similar to the previous version, containing the same three commands. One of these commands allows the actor to uninstall the OopsIE Trojan from the system. Customers can track this Trojan using the OopsIE tag provided by AutoFocus, Palo Alto Networks' threat intelligence service. Despite the advanced evasion techniques employed by OopsIE, ongoing efforts are being made to ensure effective defense mechanisms against such threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Trojan
Phishing
Payload
Sandbox
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
QUADAGENTUnspecified
1
In July 2018, a series of cyber-attacks orchestrated by the OilRig group targeted a Middle Eastern government agency, delivering a harmful tool known as QUADAGENT. This malware is a PowerShell backdoor attributed to the OilRig group by both ClearSky Cyber Security and FireEye. The attacks were execu
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
OilRigUnspecified
1
OilRig is a well-known threat actor in the cybersecurity landscape, notorious for its sophisticated attacks on various targets, including Middle Eastern telecommunications organizations and Israel's critical infrastructure sector. This entity has been linked to several high-profile campaigns such as
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the OopsIE Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Leftover Links 12/08/2023: More Microsoft Security Breaches
MITRE
a year ago
OilRig targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE