The OopsIE trojan was first discovered in January 2018 by Palo Alto Networks after it was deployed by the threat group “OilRig” to carry out two attacks: one against an insurance agency based in the Middle East, and the other, a week later against a Middle Eastern financial institution. The OopsIE trojan was delivered to victims in different ways for each case. In order to run on the system, the trojan has to first create a VBscript file that contains a path to an executable. A scheduled task runs the executable every 3 minutes using HTTP to communicate with its C2 server, using Internet Explorer so the requests look as if it came from a legitimate browser. Once this connection is made, there are three commands that the trojan can run on the infected system: Run Command, Upload a file, and Download a specified file.

January 8, 2018: This operation targeted a Middle East-based insurance company, delivering the OopsIE trojan via a variant of the ThreeDollars delivery document. The ThreeDollars document is a malicious file sent in an email that tricks the receiver into clicking the “Enable Content” button, thereby executing a malicious macro and silently installing and executing the payload onto the system. To deter the victim from any suspicion, a decoy image is displayed on the screen while the malicious activity runs in the background. In the case of the insurance company, the OilRig threat group sent two emails to two different addresses within six minutes of each other with the subject Beirut Insurance Seminar Invitation. The ThreeDollars malicious Word document was attached to these emails with the name Seminar-Inivitation.doc. Within seconds after the document is opened and enabled by the receivers, and seconds after the decoy image is displayed, a fake error message saying “NullRefrenceException! Error has occurred in the user32.dll by 0x32ef212” is shown on the screen, hiding a macro running in the background that searches the malicious document for the delimiter ###$$$ and writes the text that follows it to the file %APPDATA%\Base.txt. After about one minute, the macro runs a scheduled task it created called SecurityAssist, which is responsible for running a command that decodes the Base.txt file and saves it to %PROGRAMDATA%\IntelSecurityAssistManager.exe, which contains the OopsIE trojan.

January 16, 2018: This operation targeting a Middle Eastern financial institution differed from previous attack attempts by the threat group as it did not use the ThreeDollars delivery document. This attack attempted to deliver the OopsIE trojan via a malicious link provided in a phishing email. When the link is clicked, the trojan downloads from its C2 server to the system.

Technical Details

  • Palo Alto Networks provides a detailed analysis of the OopsIE Trojan here.
Trojan VariantsNJCCICoopsie