OilRig hacker group targets the Middle East with the QUADAGENT backdoor malware

• The OilRig cyberespionage group was found targeting victims in the Middle East.
• The recent campaign involved three waves of attack between May and June 2018.

The OilRig cyberespionage group has been spotted conducting a new campaign, targeting victims in the Middle East. The campaign consisted of three waves of attack between May and June 2018. The hacker group targeted a technology services provider and a government agency of an unspecified Middle Eastern nation.

According to security researchers at Palo Alto Networks, who uncovered the recent campaign, the OilRig group made use of the powerful backdoor dubbed QUADAGENT in their recent campaign. The researchers believed that the OilRig group likely leveraged compromised accounts and credential harvesting to use the targeted Middle Eastern government agency as launching pad for their true attacks.

“The attacks against these targets were made to appear to have originated from other entities in the same country. However, the actual attackers themselves were outside this country and likely used stolen credentials from the intermediary organization to carry out their attacks,” Palo Alto researchers wrote in a blog.

Modus operandi

The three waves of attack involved in the new campaign appear to begin from a phishing email, which in turn, appears to originate from a Middle Eastern government agency. The phishing email was designed such that once it has been downloaded and executed onto a targeted system, it can run silently without depending on any additional decoy documents.

“In the two waves (May 30 and June 3) against the technology services provider, the victim email addresses were not easily discoverable via common search engines, indicating the targets were likely part of a previously collected target list, or possibly known associates of the compromised account used to send the attack emails,” Palo Alto researchers added.

OilRig uses open-source tools

Researchers discovered that in an attempt to avoid detection, the OilRig group abused open-source tools, such as the Invoke-Obfuscation tool to obfuscate QUADAGENT’s code. The tool is widely available, even via GitHub and allows users to alter how a PowerShell script is visually represented.

Researchers believe that the recent campaign indicates that the OilRig group continues to remain a persistent threat for the Middle East. Despite the hacker group using simple techniques in their campaigns, their adoption of various tools suggests that the group is sophisticated.

“In this instance, they illustrated a typical behavior of adversary groups, wherein the same tool was reused in multiple attacks, but each had enough modifications via infrastructure change, additional obfuscation, and repackaging that each sample may appear different enough to bypass security controls,” Palo Alto researchers said. “A key component to always remember is that for these type of adversary groups, they will follow the path of least resistance in their attacks, as long as their mission directive is accomplished.”