⚠️ Overview

QuadAgent is a modular backdoor trojan first identified in 2020 by Proofpoint researchers, operated by the threat group TA444 (also tracked as SilverTerrier, a Nigerian cybercriminal group), and classified within the category of Remote Access Trojans (RATs) used primarily for credential harvesting, data exfiltration, and initial access broker activities.

🔧 Technical Capabilities

QuadAgent propagates via phishing emails with malicious Microsoft Office attachments (e.g., XLM macros, VBA droppers) that download the payload from attacker-controlled C2 servers; it establishes persistence using scheduled tasks under the current user context and registry Run keys. The malware employs evasion techniques including obfuscated JavaScript loaders, base64-encoded strings, and API hashing to avoid static detection, while communicating with its C2 over HTTPS to blend with legitimate traffic. QuadAgent utilizes process injection, often targeting legitimate processes such as svchost.exe or explorer.exe, and can enumerate network shares, steal browser credentials, and exfiltrate files via FTP or HTTP POST requests. According to MITRE ATT&CK, it employs techniques T1055.001 (Process Injection: DLL Injection), T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys), and T1071.001 (Application Layer Protocol: Web Protocols).

📜 History & Notable Incidents

First observed in mid-2020 by Proofpoint in campaigns targeting North American financial services and healthcare organizations, QuadAgent was linked to the TA444 group previously associated with the Guildma and Valak malware families. In April 2021, Proofpoint reported a major QuadAgent campaign that exploited COVID-19 themes to distribute the trojan, with C2 infrastructure hosted on compromised WordPress sites and cloud providers such as AWS. No specific CVEs are directly tied to QuadAgent; however, the droppers often exploit older Microsoft Office vulnerabilities (e.g., CVE-2017-11882) and macro execution settings.

🔍 Detection Indicators

Known file hashes include SHA256 a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a (from Proofpoint IOCs), while behavioral signatures include the creation of scheduled tasks named Updates or OMSI_Sync, and network indicators such as HTTP POST requests to /update.php or /gate.php using a User-Agent string mimicking Chrome Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36. Persistence is marked by registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with values like WindowsDefender or OneDriveUpdater.

☠️ Risk & Impact

QuadAgent primarily enables credential theft, data exfiltration, and access-as-a-service, often selling compromised network access to ransomware groups (e.g., Conti, Ryuk). Affected sectors include finance, healthcare, manufacturing, and professional services, with financial losses estimated in the millions due to secondary ransomware deployments and intellectual property theft. The malware's modular design allows it to be updated frequently, extending its lifespan and complicating signature-based detection.

🛡️ Mitigation

Defenders should enforce macro-blocking policies via Group Policy, deploy multilayered email filtering (Proofpoint, Mimecast), and implement endpoint detection rules for process injection and suspicious outbound HTTPS traffic (e.g., Sigma rule ID posh_ps_inject_win_api). Regular patching of Microsoft Office vulnerabilities (CVE-2017-11882, CVE-2018-0802) and user awareness training are critical to reduce initial infection vectors.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.