#1228099: OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE - Additional IOCs

Description: The OilRig group maintains their persistent attacks against government entities in the Middle East region using previously identified tools and tactics. As observed in previous attack campaigns, the tools used are not an exact duplicate of the previous attack and instead is an iterative variant. In this instance a spear phishing email was used containing a lure designed to socially engineer and entice the victim to executing a malicious attachment. The attachment was identified as a variant of the OopsIE trojan we identified in February 2018. In this iteration of OopsIE, the general functionality largely remained the same but contained the addition of anti-analysis and anti-virtual machine capabilities to further evade detection from automated defensive systems.
Reference:
https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/
First Aid: IOCs:

FileHash-SHA256 055b7607848777634b2b17a5c51da7949829ff88084c3cb30bcb3e58aae5d8e9 2
FileHash-SHA256 36e66597a3ff808acf9b3ed9bc93a33a027678b1e262707682a2fd1de7731e23 2
FileHash-SHA256 6b240178eedba4ebc9f1c8b56bac02676ce896e609577f4fb64fa977d67c0761 5
FileHash-SHA256 9e8ec04e534db1e714159cc68891be454c2459f179ab1df27d7f89d2b6793b17 7
domain defender-update.com 3
domain windowspatch.com
More info: https://otx.alienvault.com/pulse/5b8fd9e9f401566ede5fa26d?utm_medium=InProduct&utm_source=OTX&utm_content=Email&utm_campaign=new_pulse_from_subscribed

Date added Sept. 5, 2018, 8:55 p.m.
Source AlienVault
Subjects
  • All New Malware or Attack Alerts - New Reports / IOCs in
  • . APTs - Advanced Persistent Threats - New Reports in
  • . APTs - Iran - New Reports in
  • Iran - APT34 / Helix Kitten / OilRig / Jason / IRN2 / QUADAGENT / TwoFace / Greenbug / CHRYSENE / PIPEFISH
  • Iran - OopsIE Trojan - Linked to Oilrig