OopsIE
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
OopsIE compresses collected files with GZipStream before sending them to its C2 server.[1] |
| .003 | Archive Collected Data: Archive via Custom Method |
OopsIE compresses collected files with a simple character replacement scheme before sending them to its C2 server.[1] |
||
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
OopsIE uses the command prompt to execute commands on the victim's machine.[1][2] |
| .005 | Command and Scripting Interpreter: Visual Basic |
OopsIE creates and uses a VBScript as part of its persistent execution.[1][2] |
||
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
OopsIE encodes data in hexadecimal format over the C2 channel.[1] |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
OopsIE stages the output from command execution and collected files in specific folders before exfiltration.[1] |
| Enterprise | T1030 | Data Transfer Size Limits |
OopsIE exfiltrates command output and collected files to its C2 server in 1500-byte blocks.[1] |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
OopsIE concatenates then decompresses multiple resources to load an embedded .Net Framework assembly.[1] |
|
| Enterprise | T1041 | Exfiltration Over C2 Channel |
OopsIE can upload files from the victim's machine to its C2 server.[1] |
|
| Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
OopsIE has the capability to delete files and scripts from the victim's machine.[2] |
| Enterprise | T1105 | Ingress Tool Transfer |
OopsIE can download files from its C2 server to the victim's machine.[1][2] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
OopsIE uses the Confuser protector to obfuscate an embedded .Net Framework assembly used for C2. OopsIE also encodes collected data in hexadecimal format before writing to files on disk and obfuscates strings.[1][2] |
|
| .002 | Software Packing |
OopsIE uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2.[1] |
||
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
OopsIE creates a scheduled task to run itself every three minutes.[1][2] |
| Enterprise | T1082 | System Information Discovery |
OopsIE checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks.[2] |
|
| Enterprise | T1124 | System Time Discovery |
OopsIE checks to see if the system is configured with "Daylight" time and checks for a specific region to be set for the timezone.[2] |
|
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
OopsIE performs several anti-VM and sandbox checks on the victim's machine. One technique the group has used was to perform a WMI query |
| Enterprise | T1047 | Windows Management Instrumentation | ||
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0049 | OilRig |