Connect with us

Hi, what are you looking for?


Malware & Threats

Iranian Hackers Use QUADAGENT Backdoor in Recent Attacks

A series of recent attacks attributed to an Iran-linked cyber-espionage group delivered a PowerShell backdoor onto compromised machines, Palo Alto Networks has discovered.

A series of recent attacks attributed to an Iran-linked cyber-espionage group delivered a PowerShell backdoor onto compromised machines, Palo Alto Networks has discovered.

The attacks, observed between May and June 2018, were attributed to the OilRig group, which is also known as APT34 and Helix Kitten. Active since around 2015, the actor was seen using two new backdoors (RGDoor and OopsIE) earlier this year, as well as a new data exfiltration technique.

 Aimed at a technology services provider and a government entity in the Middle East, the new attacks were “made to appear to have originated from other entities in the same country” and employed the QUADAGENT backdoor, Palo Alto Networks reveals.

Both the backdoor and other attack artifacts have been previously associated with the OilRig group.

The samples were nearly identical to each other, but featured different command and control (C&C) servers and randomized obfuscation (performed with the open-source toolkit called Invoke-Obfuscation).

Between May and June, the actor launched three attacks, each involving a spear phishing email appearing to originate from a government agency based in the Middle East. The account was likely compromised via credential theft.

The first two attack waves (aimed at a technology services provider) targeted email addresses that weren’t easily discoverable via search engines. The emails contained an attached exe file (converted from .bat) that was designed to install the QUADAGENT backdoor and execute it.

Advertisement. Scroll to continue reading.

The dropper would run silently, would download the backdoor, create a scheduled task for persistency, and then execute the payload. The malware used rdppath[.]com as the C&C and would attempt to connect to it via HTTPS, then HTTP, then via DNS tunneling.

The third wave (against the government entity) also used a simple PE file attachment, but compiled using the Microsoft .NET Framework instead of being converted. The victim was served a fake error box when executing the malware, in an attempt to reduce suspicion. Once dropped and executed, the backdoor would connect to the C&C at cpuproc[.]com.

A third sample collected by Palo Alto Networks did not use a PE attachment but relied on a Word document containing a malicious macro for delivery. The document displayed a decoy image and asked the user to enable content, but did not use additional decoy content after execution.

The use of Word documents as a delivery mechanism has been associated with the threat actor before, and the delivery of QUADAGENT in this manner was previously documented by ClearSky Cyber Security. The sample ClearSky analyzed appears identical with the one used in the attacks against the technology services provider, Palo Alto Networks says.

“While [OilRig’s] delivery techniques are fairly simple, the various tools we have attributed as part of their arsenal reveal sophistication. In this instance, they illustrated a typical behavior of adversary groups, wherein the same tool was reused in multiple attacks, but each had enough modifications via infrastructure change, additional obfuscation, and repackaging that each sample may appear different enough to bypass security controls,” the security firm concludes.

Related: Iranian Cyberspies Exploit Recently Patched Office Flaw

Related: Iranian Hackers Target IIS Web Servers With New Backdoor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...