ODAgent

ODAgent is a C#/.NET downloader that has been used by OilRig since at least 2022 including against target organizations in Israel to download and execute payloads and to exfiltrate staged files.^[1]

ID: S1170

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 26 November 2024

Last Modified: 27 November 2024

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	ODAgent can execute a specified command line passed via API.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	ODAgent can Base64-decode and XOR decrypt received C2 commands.^[1]
Enterprise	T1041		Exfiltration Over C2 Channel	ODAgent can use an attacker-controlled OneDrive account to receive C2 commands and to exfiltrate files.^[1]
Enterprise	T1567	.002	Exfiltration Over Web Service: Exfiltration to Cloud Storage	ODAgent can use an attacker-controlled OneDrive account for exfiltration.^[1]
Enterprise	T1083		File and Directory Discovery	ODAgent can identify the current working directory.^[1]
Enterprise	T1070	.004	Indicator Removal: File Deletion	ODAgent can delete payloads and files used to pass C2 commands from remotely hosted cloud accounts.^[1]
Enterprise	T1105		Ingress Tool Transfer	ODAgent has the ability to download and execute files on compromised systems.^[1]
Enterprise	T1106		Native API	ODAgent can pass commands using native APIs.^[1]
Enterprise	T1102	.002	Web Service: Bidirectional Communication	ODAgent can use the Microsoft Graph API to access an attacker-controlled OneDrive account and retrieve payloads and backdoor commands.^[1]

Groups That Use This Software

ID	Name	References
G0049	OilRig	^[1]

References

Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024.

ODAgent

Enterprise Layer

Techniques Used

Groups That Use This Software

References