The OilRig group is back, using a reboot of the OopsIE trojan to pump information from its favorite resource: entities in the Middle East region.
OilRig, which is also called Cobalt Gypsy, Crambus, Helix Kitten or PT34, is suspected of having ties to Iran. The group was identified in 2015 and is believed to be linked to the Iranian Intelligence agency and the Islamic Revolutionary Guard Corps (IRGC). They’re known for attacking energy, financial, aviation, infrastructure, government and university organizations, primarily in the Middle East.
The group has a history of not reinventing the wheel. It tends to use new iterations of previously identified tools and tactics to carry out its activities, according to Palo Alto’s Unit 42. That’s the case in the latest effort, which Unit 42 uncovered while investigating a separate spear phishing campaign.
While looking at the first effort, the firm discovered a second campaign going after a different governmental entity in the same country — mounted from the same infrastructure. This secondary email, written in Arabic, uses a “business continuity management training” lure in the subject line, which looked to be the result of reconnaissance work. The targeted organization had publicly published several documents regarding that exact subject on the web.
The email contained a malicious attachment that Palo Alto identified as a variant of the data-exfiltration OopsIE trojan, first identified in February 2018. However, the new version has been significantly enhanced with better stealth measures.
“In this iteration of OopsIE, the general functionality largely remained the same but contained the addition of anti-analysis and anti-virtual machine capabilities to further evade detection from automated defensive systems,” the researchers explained in an analysis posted Tuesday. They added that after going through a series of anti-VM and sandbox checks, if any are successful, the trojan will exit without running any of its functional code.
Further interesting enhancements include a CPU temperature check used by GravityRAT to enhance stealth, and a time-zone check; in the latter, the trojan aborts its mission if the system does not have a specific time zone set that corresponds to Iran, Israel, Saudi Arabia or a handful of other locations in the Middle East, indicating a high degree of targeting.
The move marks an advancement in sophistication for OilRig, which started off as a fairly unsophisticated player before going on to become a top APT active in the Mideast, according to researchers. It’s carried out some very interesting attacks, such as the one using a persona named Mia Ash, who was used to catfish men working in desirable positions at energy-sector firms with the goal of dropping the PupyRAT remote access tool onto their unsuspecting desktops.
“The OilRig group remains a persistent adversary in the Middle East region,” Unit 42 researchers said. “They continue to iterate and add capabilities to their tools while still functionally using the same tactics over and over again. Within the time frame we have been tracking the OilRig group, they have repeatedly shown a willingness to add less commonly found functionality to their tools, such as their heavy use of DNS tunneling in their backdoors or adding authentication to their webshells. This attack is no different, now adding anti-analysis capabilities into their tools. This adversary is highly resourceful and continues to adapt over time.”