QUADAGENT

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
In July 2018, a series of cyber-attacks orchestrated by the OilRig group targeted a Middle Eastern government agency, delivering a harmful tool known as QUADAGENT. This malware is a PowerShell backdoor attributed to the OilRig group by both ClearSky Cyber Security and FireEye. The attacks were executed using spear phishing emails that contained a delivery document with an unknown payload, which was later identified as QUADAGENT. Once executed, the QUADAGENT payload would use rdppath[.]com as the C2, first via HTTPS, then HTTP, then DNS tunneling, each being used as a fallback channel if the former failed. During the same period, OilRig also exploited additional compromised email accounts within the same government organization to launch spear-phishing attacks, this time delivering the OopsIE trojan instead of QUADAGENT. The OopsIE attack targeted a different organization within the same nation-state. The final payload delivered in all three attack waves was a PowerShell downloader referred to by other research organizations as QUADAGENT. To obfuscate their activities and evade detection, the OilRig group employed an open-source tool named Invoke-Obfuscation to conceal the code used for QUADAGENT. The actual QUADAGENT script payload used in the ClearSky sample was identical to the one found in the bat2exe version used against a technical services provider. QUADAGENT's relationship to other OilRig tools and its detailed analysis is provided in the appendix at the end of the blog from PaloAlto Networks. The QUADAGENT C2 Domains have been classified as malicious, indicating the severity of the threat posed by this malware.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Trojan
Backdoor
Payload
Downloader
Phishing
PowerShell
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
OopsIEUnspecified
1
OopsIE is a sophisticated malware variant that has been utilized in cyber-attack campaigns against various organizations, including government agencies. The Trojan initiates its execution by conducting a series of anti-VM and sandbox checks, aiming to evade detection by security systems. It further
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
OilRigUnspecified
1
OilRig is a well-known threat actor in the cybersecurity landscape, notorious for its sophisticated attacks on various targets, including Middle Eastern telecommunications organizations and Israel's critical infrastructure sector. This entity has been linked to several high-profile campaigns such as
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the QUADAGENT Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
OilRig Targets Technology Service Provider and Government Agency with QUADAGENT
MITRE
a year ago
OilRig targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE