SCF Advanced Search

  • Total Posts: 40151
  • Total Topics: 14260
  • Online Today: 759
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)

Author Topic: Quarian Group Targets Victims With Spearphishing Attacks  (Read 2073 times)

0 Members and 1 Guest are viewing this topic.


  • SCF VIP Member
  • *****
  • Posts: 776
  • KARMA: 117
  • Gender: Male
  • Pez
Quarian Group Targets Victims With Spearphishing Attacks
« on: 08. October 2013., 12:37:58 »
Quarian Group Targets Victims With Spearphishing Attacks

The current generation of targeted attacks are getting more sophisticated and evasive. These attacks employ media-savvy stories in their social engineering themes to lure unsuspecting users.

We have seen heightened activity by one of the groups, dubbed Quarian. It is believed to be targeting government agencies and embassies around the world including the United States. Quarian is known to employ spearphishing attacks that use PDF and doc files as bait.

There are at least three exploit-laden doc files in the most recent wave:

• Embassy of India in Kabul, telephone directory

Going to bed late is making you fat

Shadows behind Syrian issue

The doc files exploit a previously known and patched vulnerability (CVE-2012-0158) in Microsoft Office. Upon opening the malicious doc file in a vulnerable environment, it drops a backdoor component along with a bait file that hides the malicious intention of the attacker.

("click the images to make them larger")

Once inside the network, attackers are able to interact with an infected machine through a remote shell and execute commands. The malware also supports the download of additional tools that can elevate privileges or perform internal network reconnaissance. It also implements “sleep” functionality, which defines the wait time before making a connection to the control server, a mechanism to avoid suspicion.

The backdoor accepts multiple commands from the attacker.

• 0X1: Get host information–OS version, host name, IP address, username
• 0X2: Exit control server functions
• 0X3: Shut down the client
• 0X4: Run updater.exe to update the backdoor
• 0X5: Create registry entry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• 0X6: Remote Shell–Used to interactively run commands.
• 0X7: Extended Functions–FindFile, MoveFile, WriteFile, ReadFile, CreateProcess, DeleteFile
• 0X10: Write to “cf” file to define sleep time

If we are to believe the compilation timestamp of the executable’s header, the binary was generated on August 25.

The malware implements an XOR loop that after decryption exposes the control server and its domains:
• resolved to (IP info) at the time of investigation but has since been taken down.

At our recent FOCUS 2013 conference, we announced the McAfee Advanced Threat Defense (MATD) product line. (MATD integrates the antimalware engine, Global Threat Intelligence, and the Gateway antimalware engine to minimize the impact of threats entering a network. MATD features two detection approaches–based on behavior (dynamic sandboxing) and static code analysis–to detect previously unknown and well-disguised threats.) The following image shows the MATD administrator view of the behavior traces and the ASM code.

Here is a preview of the MATD analysis report for this threat family. The backdoor component is classified as malicious after matching the static code against known malware family. The sandbox also reported suspicious behavior after dynamic execution.

McAfee will continue to monitor new and similar threats. We advise users against opening any suspicious emails or links and to always adopt a layered defense for comprehensive protection.

I thank my colleague Saravanan Mohankumar of the Advanced Threat Defense Group for his assistance.

Original article: By Rahul Mohandas on Oct 07, 2013
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing !,8405.msg21475.html#msg21475

Samker's Computer Forum -

Quarian Group Targets Victims With Spearphishing Attacks
« on: 08. October 2013., 12:37:58 »


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising