Threat Report: What is the OopsIE Malware and How Does it Work?

OopsIE is a Trojan used by [OilRig] to remotely execute commands as well as upload/download files to/from victims. It uses WMI to perform discovery techniques, can upload files from the victim's machine to its C2 server, uses HTTP for C2 communications, has the capability to delete files and scripts from the victim's machine, and uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2. It exfiltrates command output and collected files to its C2 server in 1500-byte blocks.

OopsIE can also download files from its C2 server to the victim's machine. It creates a scheduled task to run itself every three minutes. It creates and uses a VBScript as part of its persistent execution. It performs several anti-VM and sandbox checks on the victim's machine.

OopsIE Malware Capabilities:

OopsIE may use Windows Management Instrumentation to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components.OopsIE may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.OopsIE may delete files left behind by their intrusion activity.

OopsIE may perform software packing or virtual machine software protection to conceal their code.OopsIE may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect.OopsIE may stage collected data in a central location or directory on the local system prior to Exfiltration.An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds.OopsIE may use various techniques to evade detection 

• OopsIE is a malware that may abuse Windows Management Instrumentation to execute malicious commands and payloads. It may also steal data by exfiltrating it over an existing command and control channel.
• OopsIE may delete files or perform software packing or virtual machine software protection to conceal their code in order to avoid detection. They may also gather system time and/or time zone information from a local or remote system.
• The OopsIE malware may encode data using a standard data encoding system to make the content of command and control traffic more difficult to detect. Data may be staged in a central location or directory on the local system prior to Exfiltration. Data may be exfiltrated in fixed size chunks instead of whole files or limit packet sizes below certain thresholds.
• OopsIE may use the Windows command prompt to control various aspects of a system, and may use obfuscated files or information to hide their tracks. They may also attempt to gather system information to help them shape follow-on behaviors.
• OopsIE may transfer tools or other files from an external system into a compromised environment. This may be done through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment. OopsIE may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. OopsIE may abuse Visual Basic for execution.

Ways to Mitigate OopsIE Malware Attacks Capabilities

• OopsIE malware attacks can be mitigated in several ways, including monitoring network traffic for WMI connections, process monitoring to capture command-line arguments of "wmic", and analyzing network data for uncommon data flows. By doing these things, it is possible to detect suspicious activity that may be indicative of an OopsIE malware attack.
• The OopsIE malware attack can be mitigated by monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Another good practice is to use file scanning to look for known software packers or artifacts of packing techniques.
• The article discusses how OopsIE malware attacks can be mitigated. One way is to analyze network data for uncommon data flows. Another way is to monitor publicly writeable directories, central locations, and commonly used staging directories for compressed or encrypted data that may be indicative of staging.
• The OopsIE malware attack can be mitigated by restricting the usage of the Windows command shell, detecting the action of deobfuscating or decoding files or information, and collecting system and network discovery data.
• The OopsIE malware attack can be mitigated by monitoring for suspicious processes, detecting common utilities, and monitoring for custom archival methods.