(Palo Alto) Once the QUADAGENT payload has executed, it will use rdppath[.]com as the C2, first via HTTPS, then HTTP, then via DNS tunneling, each being used as a corresponding fallback channel if the former fails.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
2020-07-13 by Andrew Thompson from FireEye
2020-01-17 by FireEye from FireEye
2019-11-20 by ClearSky Cyber Security from ClearSky
2019-08-22 by Cyware from Cyware
2019-04-16 by Robert Falcone from
Tool: QUADAGENT
Names: QUADAGENT
Description: (Palo Alto) Once the QUADAGENT payload has executed, it will use rdppath[.]com as the C2, first via HTTPS, then HTTP, then via DNS tunneling, each being used as a corresponding fallback channel if the former fails.
Category: Malware
Type: Backdoor, Tunneling
Information: https://unit42.paloaltonetworks.com/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/
Mitre-attack: https://attack.mitre.org/software/S0269/
Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/ps1.quadagent
Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:QUADAGENT
Last-card-change: 2020-04-23
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1059.001 COMMAND AND SCRIPTING INTERPRETER : POWERSHELL quadagent uses powershell scripts for execution. T1059.003 COMMAND AND SCRIPTING INTERPRETER : WINDOWS COMMAND SHELL quadagent uses cmd.exe to execute scripts and commands on the victim’s machine. T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK quadagent creates a scheduled task to maintain persistence on the victim’s machine. | T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK quadagent creates a scheduled task to maintain persistence on the victim’s machine. | T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK quadagent creates a scheduled task to maintain persistence on the victim’s machine. | T1140 DEOBFUSCATE/DECODE FILES OR INFORMATION quadagent uses aes and a preshared key to decrypt the custom base64 routine used to encode strings and scripts. T1070.004 INDICATOR REMOVAL : FILE DELETION quadagent has a command to delete its registry key and scheduled task. T1036.005 MASQUERADING : MATCH LEGITIMATE NAME OR LOCATION quadagent used the powershell filenames office365dcomcheck.ps1 and systemdiskclean.ps1. T1112 MODIFY REGISTRY quadagent modifies an hkcu registry key to store a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting c2 communications. T1027.010 OBFUSCATED FILES OR INFORMATION : COMMAND OBFUSCATION quadagent was likely obfuscated using invoke-obfuscation. T1027.011 OBFUSCATED FILES OR INFORMATION : FILELESS STORAGE quadagent stores a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting c2 communications within a registry key (such as hkcu\office365dcomcheck) in the hkcu hive. | T1012 QUERY REGISTRY quadagent checks if a value exists within a registry key in the hkcu hive whose name is the same as the scheduled task it has created. T1016 SYSTEM NETWORK CONFIGURATION DISCOVERY quadagent gathers the current domain the victim system belongs to. | T1071.001 APPLICATION LAYER PROTOCOL : WEB PROTOCOLS quadagent uses https and http for c2 communications. T1008 FALLBACK CHANNELS quadagent uses multiple protocols (https, http, dns) for its c2 server as fallback channels if communication with one is unsuccessful. |