S1170 ODAgent
ODAgent is a C#/.NET downloader that has been used by OilRig since at least 2022 including against target organizations in Israel to download and execute payloads and to exfiltrate staged files.1
| Item | Value |
|---|---|
| ID | S1170 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 26 November 2024 |
| Last Modified | 27 November 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | ODAgent can execute a specified command line passed via API.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | ODAgent can Base64-decode and XOR decrypt received C2 commands.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | ODAgent can use an attacker-controlled OneDrive account to receive C2 commands and to exfiltrate files.1 |
| enterprise | T1567 | Exfiltration Over Web Service | - |
| enterprise | T1567.002 | Exfiltration to Cloud Storage | ODAgent can use an attacker-controlled OneDrive account for exfiltration.1 |
| enterprise | T1083 | File and Directory Discovery | ODAgent can identify the current working directory.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | ODAgent can delete payloads and files used to pass C2 commands from remotely hosted cloud accounts.1 |
| enterprise | T1105 | Ingress Tool Transfer | ODAgent has the ability to download and execute files on compromised systems.1 |
| enterprise | T1106 | Native API | ODAgent can pass commands using native APIs.1 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.002 | Bidirectional Communication | ODAgent can use the Microsoft Graph API to access an attacker-controlled OneDrive account and retrieve payloads and backdoor commands.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0049 | OilRig | 1 |