QUARIAN Attacks Expand Their Targets

During the first half of the year, we have seen targeted attacks leveraging the Syrian conflict and how the backdoor RAT DarkComet was used, which we documented in the following blog posts:

After the report that the Anonymous collective via its OpSyria or Operation Syria (which targeted the Syrian Government) has recently leaked documents from the Syrian Ministry of Foreign Affairs (MoFA), our friends from Kasperksy discovered that the said Syrian government institution has been the subject of a targeted attack via an email with a malicious .PDF file attachment. The said email message was sent to them last December 5, 2011.

We decided to investigate this further and found out that the targeted email attacks continued until March 2012 (or possibly even beyond that), as seen in the snapshots below. One was sent to {BLOCKED}n@mofa.gov.sy and the other was sent to {BLOCKED}k@mofa.gov.sy, which both came from the sender named {BLOCKED}bi@mofa.gov.sy. This is also the sender email address used in the Kaspersky (KAV) report.

The messages translate to the text below:

Colleagues in the office of codes
Please inform us about the receipt of the telegram No. 23<
With thanks
Embassy / Abu Dhabi

Please open or download attachments.
Best wishes!

While the sender IP, {BLOCKED}.{BLOCKED}.57.166 described in KAV’s post stated that it was located in Korea, the sender IPs we saw came from different locations, one of which was {BLOCKED}.{BLOCKED}.151.233 and located in Tokyo, Japan.

Moreover, after querying our database for similar attacks, in this case using the command-and-control (C&C) server domain name as point of reference, we also saw this targeted email sent to a top US Government organization last June 5, 2012 using the subject of ”Defense and security 2012.doc”. We have already alerted the said US Government entity regarding this.

As can be seen in the email header snapshot below, the sender IP of {BLOCKED}.84.148 can also be traced to Japan.

While the fake sender address used here is a poor attempt at imitating the official email address (like using a Yahoo! email for a supposed official email), all of the other email samples we have shown above had the same malware payload regardless of the vector used. In the Syrian campaign, one vector was an exploit-laden .PDF file described in the KAV post. Some emails took advantage of the RTLO or “right-to-left-override” trick to display a file name such as xxx.fdp.scr as xxx.rcs.pdf (where xxx varies). The email sent to the US Government address used an .RTF vulnerability, CVE-2010-3333. All samples seen have the payload we detect as BKDR_QUARIAN.SM and communicates to its C&C at {BLOCKED}reddy1.dns05.com via port 443.

BKDR_QUARIAN.SM executes commands such as downloading files from its C&C server, stealing certain information, and deleting files among others.

Our friends from Sourcefire have also managed to reverse the C&C protocol used by the QUARIAN backdoor and documented them here.

At this point, we are still investigating what other connections exist between the Syrian attacks and the attack on the US Department of State, as well as more on the QUARIAN backdoor payload used. We will be posting updates accordingly so stay tuned.

Trend Micro Smart Protection Network protects users from this threat by detecting and deleting BKDR_QUARIAN.SM if found in users’ systems. It also blocks the related email message and prevents access to the C&C server.

Users are warned to be discerning of the messages they receive. Because email is a popular medium of communication within organizations, employees should also be extra cautious before opening and downloading an attached file. Similar to this incident, attackers can use spoofed email addresses that mimic departments or figures of authority. To know more on about the role of email messages on targeted attacks, you may read Covert Arrivals: Email’s Role in APT Campaigns.

With additional analysis from Harli Aquino

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

QUARIAN Attacks Expand Their Targets