QUADAGENT: OilRig Targets Technology Service Provider and Government Agency

Unit 42 researchers released intelligence on an OilRig campaign that identified newly developed tools and techniques. Between May and June 2018, Unit 42 observed multiple attacks by the OilRig group (AKA APT34, Helix Kitten) appearing to originate from a government agency in the Middle East.
The targets in these attacks included a technology services provider, as well as another government entity. The attacks utilized spear phishing from a compromised account, the emails containing Word documents with embedded malicious macros used to deliver a multi-stage payload. Once the email attachment is downloaded and executed, it runs covertly in the background.
The executable will download a PowerShell script that utilizes QUADAGENT (a backdoor) to perform additional tasks such as command and control via HTTPS, HTTP or DNS tunneling.
Technical details can be found on the Unit 42 blog including examples of the Word document found in the malicious emails.

Indicators of Compromise

SHA256 Hashes
  • d948d5b3702e140ef5b9247d26797b6dcdfe4fdb6f367bb217bc6b5fc79df520
  • d7130e42663e95d23c547d57e55099c239fa249ce3f6537b7f2a8033f3aa73de
  • 5f001f3387ddfc0314446d0c950da2cec4c786e2374d42beb3acce6883bb4e63
  • 1f6369b42a76d02f32558912b57ede4f5ff0a90b18d3b96a4fe24120fa2c300c
  • 119c64a8b35bd626b3ea5f630d533b2e0e7852a4c59694125ff08f9965b5f9cc
Domains
  • rdppath.com
  • cpuproc.com
  • acrobatverify.com
Filenames
  • Office365DCOMCheck.ps1
  • Office365DCOMCheck.vbs
  • SystemDiskClean.ps1
  • SystemDiskClean.vbs
  • AdobeAcrobatLicenseVerify.ps1
  • c:\Users\<username>\AppData\Roaming\Out.jpg
Recommendations
  • Block all URL and IP based IOCs at the firewall, IDS, web gateways, routers or other perimeter based devices.
  • Use updated anti-virus and ensure your current vendor has coverage for this campaign.
  • Search for existing signs of the indicated IOC’s in your environment and email systems.

More information:

  • exchange.xforce.ibmcloud.com/collection/OilRig-Targets-Technology-Service-Provider-and-Government-Agency-with-QUADAGENT-6554e3055dd5031a45fe62e33fa0b262
  • researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/