QUADAGENT is a PowerShell backdoor used by OilRig. [1]

ID: S0269
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1059Command-Line InterfaceQUADAGENT uses cmd.exe to execute scripts and commands on the victim’s machine.[1]
EnterpriseT1001Data ObfuscationQUADAGENT encodes C2 communications with base64.[1]
EnterpriseT1140Deobfuscate/Decode Files or InformationQUADAGENT uses AES and a preshared key to decrypt the custom Base64 routine used to encode strings and scripts.[1]
EnterpriseT1008Fallback ChannelsQUADAGENT uses multiple protocols (HTTPS, HTTP, DNS) for its C2 server as fallback channels if communication with one is unsuccessful.[1]
EnterpriseT1107File DeletionQUADAGENT has a command to delete its Registry key and scheduled task.[1]
EnterpriseT1036MasqueradingQUADAGENT used the PowerShell filenames Office365DCOMCheck.ps1 and SystemDiskClean.ps1.[1]
EnterpriseT1112Modify RegistryQUADAGENT modifies an HKCU Registry key to store a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications.[1]
EnterpriseT1027Obfuscated Files or InformationQUADAGENT was likely obfuscated using Invoke-Obfuscation.[1][2]
EnterpriseT1086PowerShellQUADAGENT uses PowerShell scripts for execution.[1]
EnterpriseT1012Query RegistryQUADAGENT checks if a value exists within a Registry key in the HKCU hive whose name is the same as the scheduled task it has created.[1]
EnterpriseT1053Scheduled TaskQUADAGENT creates a scheduled task to maintain persistence on the victim’s machine.[1]
EnterpriseT1064ScriptingQUADAGENT uses VBScripts and batch scripts.[1]
EnterpriseT1071Standard Application Layer ProtocolQUADAGENT uses HTTPS, HTTP, and DNS for C2 communications.[1]
EnterpriseT1016System Network Configuration DiscoveryQUADAGENT gathers the current domain the victim system belongs to.[1]
EnterpriseT1033System Owner/User DiscoveryQUADAGENT gathers the victim username.[1]


Groups that use this software: