Malware News Iranian Hackers Use QUADAGENT Backdoor in Recent Attacks

[silversurfer]

Content source

https://www.securityweek.com/iranian-hackers-use-quadagent-backdoor-recent-attacks

A series of recent attacks attributed to an Iran-linked cyber-espionage group delivered a PowerShell backdoor onto compromised machines, Palo Alto Networks has discovered.

The attacks, observed between May and June 2018, were attributed to the OilRig group, which is also known as APT34 and Helix Kitten. Active since around 2015, the actor was seen using two new backdoors (RGDoor and OopsIE) earlier this year, as well as a new data exfiltration technique.

Aimed at a technology services provider and a government entity in the Middle East, the new attacks were “made to appear to have originated from other entities in the same country” and employed the QUADAGENT backdoor, Palo Alto Networks reveals.

 

[Michyon]

Powershell just seems to be more risky then beneficial to have.

 

[ForgottenSeer 69673]

Powershell just seems to be more risky then beneficial to have.

I have had that protected for a few years now with appguard.

 

[509322]

I have had that protected for a few years now with appguard.

You have to disable PowerShell. It's just a plain menace.

The amount of damage caused by maliciously abused PowerShell totals well into the millions of dollars per year.

 

[ForgottenSeer 69673]

You have to disable PowerShell. It's just a plain menace.

The amount of damage caused by maliciously abused PowerShell totals well into the millions of dollars per year.

Ok I am now wondering why I was advised to untick it in guarded apps and add it to user space? Now I am confused again.

 

[509322]

Ok I am now wondering why I was advised to untick it in guarded apps and add it to user space? Now I am confused again.

That disables it.

 

[ForgottenSeer 69673]

That disables it.

Ok so I should be good to go then?

 

[509322]

Ok so I should be good to go then?

if you applied the rules correctly, then yes.

 

[upnorth]

Powershell just seems to be more risky then beneficial to have.

It's possible to hunt malware with Powershell but in general, disable it is the correct advice.

 

[shmu26]

Ok so I should be good to go then?

The thing is like this: the "guarded" apps list is stronger than the "user space:yes" list. So if you have a process on both lists, the guarded list wins. The process will run, but guarded. If you untick it on the guarded list, then the user space list will make sure it doesn't run at all. This applies not just to powershell but to anything else you might want to disable, such as cmd.exe, for instance. If you want to block it altogether, you must untick it in the guarded list, or else the guarded list will win.