This blog post was written by Rahul Mohandas.
The current generation of targeted attacks are getting more sophisticated and evasive. These attacks employ media-savvy stories in their social engineering themes to lure unsuspecting users.
We have seen heightened activity by one of the groups, dubbed Quarian. It is believed to be targeting government agencies and embassies around the world including the United States. Quarian is known to employ spearphishing attacks that use PDF and doc files as bait.
There are at least three exploit-laden doc files in the most recent wave:
- Embassy of India in Kabul, telephone directory
- Going to bed late is making you fat
- Shadows behind Syrian issue
The doc files exploit a previously known and patched vulnerability (CVE-2012-0158) in Microsoft Office. Upon opening the malicious doc file in a vulnerable environment, it drops a backdoor component along with a bait file that hides the malicious intention of the attacker.
Once inside the network, attackers are able to interact with an infected machine through a remote shell and execute commands. The malware also supports the download of additional tools that can elevate privileges or perform internal network reconnaissance. It also implements “sleep” functionality, which defines the wait time before making a connection to the control server, a mechanism to avoid suspicion.
The backdoor accepts multiple commands from the attacker.
- 0X1: Get host information–OS version, host name, IP address, username
- 0X2: Exit control server functions
- 0X3: Shut down the client
- 0X4: Run updater.exe to update the backdoor
- 0X5: Create registry entry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- 0X6: Remote Shell–Used to interactively run commands.
- 0X7: Extended Functions–FindFile, MoveFile, WriteFile, ReadFile, CreateProcess, DeleteFile
- 0X10: Write to “cf” file to define sleep time
If we are to believe the compilation timestamp of the executable’s header, the binary was generated on August 25.
The malware implements an XOR loop that after decryption exposes the control server and its domains:
Keep.ns3.name resolved to 126.96.36.199 (IP info) at the time of investigation but has since been taken down.
At our recent FOCUS 2013 conference, we announced the McAfee Advanced Threat Defense (MATD) product line. (MATD integrates the antimalware engine, Global Threat Intelligence, and the Gateway antimalware engine to minimize the impact of threats entering a network. MATD features two detection approaches–based on behavior (dynamic sandboxing) and static code analysis–to detect previously unknown and well-disguised threats.) The following image shows the MATD administrator view of the behavior traces and the ASM code.
Here is a preview of the MATD analysis report for this threat family. The backdoor component is classified as malicious after matching the static code against known malware family. The sandbox also reported suspicious behavior after dynamic execution.
McAfee will continue to monitor new and similar threats. We advise users against opening any suspicious emails or links and to always adopt a layered defense for comprehensive protection.
I thank my colleague Saravanan Mohankumar of the Advanced Threat Defense Group for his assistance.