McAfee Labs

Quarian Group Targets Victims With Spearphishing Attacks

0
By on Oct 07, 2013

The current generation of targeted attacks are getting more sophisticated and evasive. These attacks employ media-savvy stories in their social engineering themes to lure unsuspecting users.

We have seen heightened activity by one of the groups, dubbed Quarian. It is believed to be targeting government agencies and embassies around the world including the United States. Quarian is known to employ spearphishing attacks that use PDF and doc files as bait.

There are at least three exploit-laden doc files in the most recent wave:

The doc files exploit a previously known and patched vulnerability (CVE-2012-0158) in Microsoft Office. Upon opening the malicious doc file in a vulnerable environment, it drops a backdoor component along with a bait file that hides the malicious intention of the attacker.

01102013-attacktheme3

Once inside the network, attackers are able to interact with an infected machine through a remote shell and execute commands. The malware also supports the download of additional tools that can elevate privileges or perform internal network reconnaissance. It also implements “sleep” functionality, which defines the wait time before making a connection to the control server, a mechanism to avoid suspicion.

The backdoor accepts multiple commands from the attacker.

 

 01102013-CC_Flowchart

  • 0X1: Get host information–OS version, host name, IP address, username
  • 0X2: Exit control server functions
  • 0X3: Shut down the client
  • 0X4: Run updater.exe to update the backdoor
  • 0X5: Create registry entry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • 0X6: Remote Shell–Used to interactively run commands.
  • 0X7: Extended Functions–FindFile, MoveFile, WriteFile, ReadFile, CreateProcess, DeleteFile
  • 0X10: Write to “cf” file to define sleep time

If we are to believe the compilation timestamp of the executable’s header, the binary was generated on August 25.

01102013-timestamp

The malware implements an XOR loop that after decryption exposes the control server and its domains:

  • www.keep.ns3.name
  • andyothers.acmetoy.com

01102013- olly

Keep.ns3.name resolved to 216.244.81.141 (IP info) at the time of investigation but has since been taken down.

At our recent FOCUS 2013 conference, we announced the McAfee Advanced Threat Defense (MATD) product line. (MATD integrates the antimalware engine, Global Threat Intelligence, and the Gateway antimalware engine to minimize the impact of threats entering a network. MATD features two detection approaches–based on behavior (dynamic sandboxing) and static code analysis–to detect previously unknown and well-disguised threats.) The following image shows the MATD administrator view of the behavior traces and the ASM code.

01102013-static_dynamic

Here is a preview of the MATD analysis report for this threat family. The backdoor component is classified as malicious after matching the static code against known malware family. The sandbox also reported suspicious behavior after dynamic execution.

01102013-matdreport

McAfee will continue to monitor new and similar threats. We advise users against opening any suspicious emails or links and to always adopt a layered defense for comprehensive protection.

I thank my colleague Saravanan Mohankumar of the Advanced Threat Defense Group for his assistance.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>