A threat group known as OilRig conducted targeted phishing attacks against Middle Eastern organizations, using a malicious Word document (ThreeDollars) and a newly identified Trojan called OopsIE.

Who is behind the attack?

The attack is attributed to OilRig, an Iranian state-linked APT group active since at least 2016 and known for targeting organizations in the Middle East.

What was the goal of the attack?

The attackers aimed to gain long-term access to internal systems through backdoor trojans, allowing them to exfiltrate sensitive data and execute remote commands.

An insurance agency and a financial institution in the Middle East were specifically targeted. One of them had previously been attacked by the same group a year earlier.

How was the attack carried out?

The group sent phishing emails containing either a malicious document or a direct link to the Trojan. Once opened, the document tricked the user into enabling macros, which silently installed and executed the OopsIE Trojan.

What does the OopsIE Trojan do?

It connects to a remote command server, receives instructions, and can upload, download, or execute files. It maintains persistence and hides its communication by mimicking normal browser traffic.

Why are these organizations being targeted?

Financial institutions and insurance companies often hold sensitive personal and economic data, making them attractive targets for espionage and strategic intelligence gathering.

Is this a widespread issue or a targeted attack?

This was a targeted attack, focusing on specific Middle Eastern entities, though the reuse of infrastructure suggests broader campaigns may be ongoing.

What should organizations do to protect themselves?

Use behavioral threat detection tools, disable macros in Office documents by default, monitor HTTP traffic for anomalies, and educate employees about phishing.

Threats Feed|OilRig|Last Updated 28/01/2026|AuthorCertfa Radar|Publish Date23/02/2018

Decoding OilRig's New Cyberthreat: How OopsIE Trojan Targeted Middle East Organizations

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Backdoor,Malicious Macro,Trojan,Spear Phishing
Attack Complexity: Medium
Threat Risk: Low Impact/High Probability

Threat Overview

The OilRig threat group initiated an attack targeting organizations in the Middle East through spear-phishing emails with a malicious Microsoft Word document called ThreeDollars. The document contained a new payload, OopsIE Trojan, which was delivered either directly or through the document. OilRig implemented different delivery tactics due to prior encounters with their targeted organization. They also adopted password-protected documents as an evasion tactic. The OopsIE Trojan communicated with a C2 server and executed commands provided by it.

Reference and Credit: Palo Alto Networks - February 2018

OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan

Detected Targets

Type	Description	Confidence
Sector	Financial	Verified
Sector	Insurance	Verified
Region	Middle East Countries	Verified

Extracted IOCs

msoffice-cdn[.]com
office365-management[.]com
office365-technical[.]info
www.msoffice365cdn[.]com
emilia.jones@mail[.]ru
leonard.horner@mail[.]ru
231115a614c99e8ddade4cf4c88472bd3801c5c289595fc068e51b77c2c8563f
81eb43ad46ed39bd4b869c709e5e468a6fc714485da288aaa77c80291ce6db8c
9a040cdd7c9fcde337b2c3daa2a7208e225735747dd1366e6c0fcbc56815a07f
ec3f55cac3e8257d6d48e5d543db758fed7d267f14f63a6a5d98ba7a0fab6870
185[.]162.235.29
80[.]82.79.221
80[.]82.79.240

download

Tip: 13 related IOCs (3 IP, 4 domain, 0 URL, 2 email, 4 file hash) to this threat have been found.

Overlaps

OilRigOilRig's Global Cyber Offensive: Credential Theft and Persistent Access

Source: Palo Alto Network - April 2019

Detection (three cases): 185[.]162.235.29, msoffice-cdn[.]com, office365-management[.]com

OilRigInside OilRig's Attack on UAE Government: ISMInjector and CVE-2017-0199 Exploit in Play

Source: Palo Alto Networks - October 2017

Detection (two cases): msoffice-cdn[.]com, office365-management[.]com

GreenbugThe Base64 Disguise: How GreenBug's Trojan ISMAgent Evades Detection

Source: ClearSky - August 2017

Detection (one case): msoffice-cdn[.]com

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

FAQs

Understanding the OopsIE Trojan Attack by OilRig

: A threat group known as OilRig conducted targeted phishing attacks against Middle Eastern organizations, using a malicious Word document (ThreeDollars) and a newly identified Trojan called OopsIE.
: The attack is attributed to OilRig, an Iranian state-linked APT group active since at least 2016 and known for targeting organizations in the Middle East.
: The attackers aimed to gain long-term access to internal systems through backdoor trojans, allowing them to exfiltrate sensitive data and execute remote commands.
: An insurance agency and a financial institution in the Middle East were specifically targeted. One of them had previously been attacked by the same group a year earlier.
: The group sent phishing emails containing either a malicious document or a direct link to the Trojan. Once opened, the document tricked the user into enabling macros, which silently installed and executed the OopsIE Trojan.
: It connects to a remote command server, receives instructions, and can upload, download, or execute files. It maintains persistence and hides its communication by mimicking normal browser traffic.
: Financial institutions and insurance companies often hold sensitive personal and economic data, making them attractive targets for espionage and strategic intelligence gathering.
: This was a targeted attack, focusing on specific Middle Eastern entities, though the reuse of infrastructure suggests broader campaigns may be ongoing.
: Use behavioral threat detection tools, disable macros in Office documents by default, monitor HTTP traffic for anomalies, and educate employees about phishing.

About Affiliation

OilRig

Associate threats