Iranian Hackers Use QUADAGENT Backdoor in Recent Attacks
28.7.18 securityweek CyberSpy
A series of recent attacks attributed to an Iran-linked cyber-espionage group delivered a PowerShell backdoor onto compromised machines, Palo Alto Networks has discovered.
The attacks, observed between May and June 18, were attributed to the OilRig group, which is also known as APT34 and Helix Kitten. Active since around 2015, the actor was seen using two new backdoors (RGDoor and OopsIE) earlier this year, as well as a new data exfiltration technique.
Aimed at a technology services provider and a government entity in the Middle East, the new attacks were “made to appear to have originated from other entities in the same country” and employed the QUADAGENT backdoor, Palo Alto Networks reveals.
Both the backdoor and other attack artifacts have been previously associated with the OilRig group.
The samples were nearly identical to each other, but featured different command and control (C&C) servers and randomized obfuscation (performed with the open-source toolkit called Invoke-Obfuscation).
Between May and June, the actor launched three attacks, each involving a spear phishing email appearing to originate from a government agency based in the Middle East. The account was likely compromised via credential theft.
The first two attack waves (aimed at a technology services provider) targeted email addresses that weren’t easily discoverable via search engines. The emails contained an attached exe file (converted from .bat) that was designed to install the QUADAGENT backdoor and execute it.
The dropper would run silently, would download the backdoor, create a scheduled task for persistency, and then execute the payload. The malware used rdppath[.]com as the C&C and would attempt to connect to it via HTTPS, then HTTP, then via DNS tunneling.
The third wave (against the government entity) also used a simple PE file attachment, but compiled using the Microsoft .NET Framework instead of being converted. The victim was served a fake error box when executing the malware, in an attempt to reduce suspicion. Once dropped and executed, the backdoor would connect to the C&C at cpuproc[.]com.
A third sample collected by Palo Alto Networks did not use a PE attachment but relied on a Word document containing a malicious macro for delivery. The document displayed a decoy image and asked the user to enable content, but did not use additional decoy content after execution.
The use of Word documents as a delivery mechanism has been associated with the threat actor before, and the delivery of QUADAGENT in this manner was previously documented by ClearSky Cyber Security. The sample ClearSky analyzed appears identical with the one used in the attacks against the technology services provider, Palo Alto Networks says.
“While [OilRig’s] delivery techniques are fairly simple, the various tools we have attributed as part of their arsenal reveal sophistication. In this instance, they illustrated a typical behavior of adversary groups, wherein the same tool was reused in multiple attacks, but each had enough modifications via infrastructure change, additional obfuscation, and repackaging that each sample may appear different enough to bypass security controls,” the security firm concludes.