Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент OopsIE
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
OopsIE
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

OopsIE

OopsIE is a Trojan used by OilRig to remotely execute commands as well as upload/download files to/from victims. (Citation: Unit 42 OopsIE! Feb 2018)
ID: S0264
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 17 Oct 2018
Last Modified: 30 Mar 2020

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

OopsIE uses HTTP for C2 communications.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 OilRig Sept 2018)
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

OopsIE compresses collected files with GZipStream before sending them to its C2 server.(Citation: Unit 42 OopsIE! Feb 2018)
.003 Archive Collected Data: Archive via Custom Method

OopsIE compresses collected files with a simple character replacement scheme before sending them to its C2 server.(Citation: Unit 42 OopsIE! Feb 2018)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

OopsIE uses the command prompt to execute commands on the victim's machine.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 OilRig Sept 2018)
.005 Command and Scripting Interpreter: Visual Basic

OopsIE creates and uses a VBScript as part of its persistent execution.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 OilRig Sept 2018)

Enterprise T1132 .001 Data Encoding: Standard Encoding

OopsIE encodes data in hexadecimal format over the C2 channel.(Citation: Unit 42 OopsIE! Feb 2018)
Enterprise T1074 .001 Data Staged: Local Data Staging

OopsIE stages the output from command execution and collected files in specific folders before exfiltration.(Citation: Unit 42 OopsIE! Feb 2018)
Enterprise T1070 .004 Indicator Removal: File Deletion

OopsIE has the capability to delete files and scripts from the victim's machine.(Citation: Unit 42 OilRig Sept 2018)
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

OopsIE uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2.(Citation: Unit 42 OopsIE! Feb 2018)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

OopsIE creates a scheduled task to run itself every three minutes.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 OilRig Sept 2018)
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

OopsIE performs several anti-VM and sandbox checks on the victim's machine. One technique the group has used was to perform a WMI query SELECT * FROM MSAcpi_ThermalZoneTemperature to check the temperature to see if it’s running in a virtual environment.(Citation: Unit 42 OilRig Sept 2018)

Groups That Use This Software
ID Name References
G0049 OilRig

(Citation: Unit 42 OopsIE! Feb 2018)

References

  1. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  2. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.