QUADAGENT

In July 2018, a series of cyber-attacks orchestrated by the OilRig group targeted a Middle Eastern government agency, delivering a harmful tool known as QUADAGENT. This malware is a PowerShell backdoor attributed to the OilRig group by both ClearSky Cyber Security and FireEye. The attacks were executed using spear phishing emails that contained a delivery document with an unknown payload, which was later identified as QUADAGENT. Once executed, the QUADAGENT payload would use rdppath[.]com as the C2, first via HTTPS, then HTTP, then DNS tunneling, each being used as a fallback channel if the former failed. During the same period, OilRig also exploited additional compromised email accounts within the same government organization to launch spear-phishing attacks, this time delivering the OopsIE trojan instead of QUADAGENT. The OopsIE attack targeted a different organization within the same nation-state. The final payload delivered in all three attack waves was a PowerShell downloader referred to by other research organizations as QUADAGENT. To obfuscate their activities and evade detection, the OilRig group employed an open-source tool named Invoke-Obfuscation to conceal the code used for QUADAGENT. The actual QUADAGENT script payload used in the ClearSky sample was identical to the one found in the bat2exe version used against a technical services provider. QUADAGENT's relationship to other OilRig tools and its detailed analysis is provided in the appendix at the end of the blog from PaloAlto Networks. The QUADAGENT C2 Domains have been classified as malicious, indicating the severity of the threat posed by this malware.