OopsIE- The Three Dollar Computer Infection

OopsIE is a malicious program that seek Back door entries to attack the targeted system or a Network. They rely on unsuspected attachments or programs and are mainly sent via Emails. Downloading or accessing these attachments help in execution of the Hidden Trojan Program.

OopsIE a vicious Trojan was deployed by a group of Iran-linked cyber-espionage group ‘OilRig’. The malware was designed to especially target Middle Eastern government organizations and financial and educational institutions.

Its sole purpose was to infiltrate the security systems of the targeted organizations to get remote access and transfer or modify sensitive information. However in each of these attacks the Trojan was delivered to the victim in different ways. Let us read about the attacks in detail.

How is the Trojan injected in the system?

Trojans mainly target information stored on the hard drive. It may be the OS Loader or user specific files, once targeted by the designed Trojan Task may result in awry. They are purposely used by Cyber criminals to destroy the OS loaders and to remotely access and steal sensitive user information.

The Trojan was intended to carry out 2 attacks: First one on an Insurance Company in the Middle East which was executed on January 8 2018. The second attack was observed a week later i.e. on January 16 2018 targeting Middle East financial institutions.

Three Dollar Delivery Document: The ThreeDollar document is a malicious email attachment that tricks the user into executing a malicious macro and install and execute the payload which was named OopsIE onto the system. The malicious activity runs behind a decoy image which is displayed to deter the victim from any suspicion.

This is a first variant of OopsIE Trojan used in the first attack against the Insurance Company in the Middle East. The Trojan was disguised as a spam email word document attachment. Two emails were delivered within a span of 6 minutes to two different addresses with the Subject ‘Beirut Insurance Seminar Invitation’. Downloading this malicious email attachment paved way to this trojan infiltration and perform the malicious act of stealing user information.

Link in the Phishing email: The second attack against Middle East financial institutions used a link in the phishing email which when clicked infiltrated the Trojan in the system to carry out malicious activities.

The Malware proliferation mechanism

In order to run on a system, the Trojan has to first create a VBScript file and a scheduled task to run itself every three minutes. The OopsIE Trojan communicates with the C&C over HTTP by using the Internet Explorer application object so as to make the request look as if it came from a legitimate browser.

The Trojan once injected can run three commands on the infected system: Run command, upload a file, or download a specified file.

Hence the user is advised to be cautious and if possible install an authenticated malware tracker to increase the level of system security.

Threat Summary

1. Name: OopsIE
2. Browsers Affected: Google Chrome, Internet Explorer, Mozilla Firefox
3. Targeted Operating System: Windows
4. Category: Trojan
5. Symptoms: OopsIE operates silently in the background to steal user sensitive information from the system. The virus impacts system performance and render it slow.