{"id":30043,"date":"2013-10-07T10:29:18","date_gmt":"2013-10-07T17:29:18","guid":{"rendered":"http:\/\/blogs.mcafee.com\/?p=30043"},"modified":"2025-06-04T02:07:47","modified_gmt":"2025-06-04T09:07:47","slug":"quarian-group-targets-victims-with-spearphishing-attacks","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/quarian-group-targets-victims-with-spearphishing-attacks\/","title":{"rendered":"Quarian Group Targets Victims With Spearphishing Attacks"},"content":{"rendered":"<p><em><span style=\"font-size: 14px; line-height: 1.5em;\">This blog post was written by Rahul Mohandas.<\/span><\/em><\/p>\n<p>The current generation of targeted attacks are getting more sophisticated and evasive. These attacks employ media-savvy stories in their social engineering themes to lure unsuspecting users.<\/p>\n<p>We have seen heightened activity by one of the groups, dubbed Quarian. It is believed to be targeting government agencies and embassies around the world including the United States. Quarian is known to employ spearphishing attacks that use PDF and doc files as bait.<\/p>\n<h2>There are at least three exploit-laden doc files in the most recent wave:<\/h2>\n<ul>\n<li>Embassy of India in Kabul, telephone directory<\/li>\n<li><a href=\"https:\/\/www.blisstree.com\/2013\/07\/01\/food\/nutrition\/going-to-bed-late-is-making-you-fat\/\">Going to bed late is making you fat<\/a><\/li>\n<li><a href=\"https:\/\/www.philstar.com\/world\/2013\/09\/01\/1159781\/obama-seeks-congressional-blessing-attacking-syria\">Shadows behind Syrian issue<\/a><\/li>\n<\/ul>\n<p>The doc files exploit a previously known and patched vulnerability (CVE-2012-0158) in Microsoft Office. Upon opening the malicious doc file in a vulnerable environment, it drops a backdoor component along with a bait file that hides the malicious intention of the attacker.<\/p>\n<p>Once inside the network, attackers are able to interact with an infected machine through a remote shell and execute commands. The malware also supports the download of additional tools that can elevate privileges or perform internal network reconnaissance. It also implements &#8220;sleep&#8221; functionality, which defines the wait time before making a connection to the control server, a mechanism to avoid suspicion.<\/p>\n<h2>The backdoor accepts multiple commands from the attacker.<\/h2>\n<ul>\n<li>0X1: Get host information&#8211;OS version, host name, IP address, username<\/li>\n<li>0X2: Exit control server functions<\/li>\n<li>0X3: Shut down the client<\/li>\n<li>0X4:\u00a0Run updater.exe to update the backdoor<\/li>\n<li>0X5: Create registry entry HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run<\/li>\n<li>0X6: Remote Shell&#8211;Used to interactively run commands.<\/li>\n<li>0X7: Extended Functions&#8211;FindFile, MoveFile, WriteFile, ReadFile, CreateProcess, DeleteFile<\/li>\n<li>0X10: Write to \u201ccf\u201d file to define sleep time<\/li>\n<\/ul>\n<p>If we are to believe the compilation timestamp of the executable&#8217;s header, the binary was generated on August 25.<\/p>\n<p>The malware implements an XOR loop that after decryption exposes the control server and its domains:<\/p>\n<ul>\n<li>www.keep.ns3.name<\/li>\n<li>andyothers.acmetoy.com<\/li>\n<\/ul>\n<p>Keep.ns3.name resolved to 216.244.81.141 (<a href=\"https:\/\/whois.arin.net\/rest\/nets;q=216.244.81.141?showDetails=true&amp;showARIN=false&amp;ext=netref2\">IP info<\/a>) at the time of investigation but has since been taken down.<\/p>\n<p>At our recent FOCUS 2013 conference, we announced the <a href=\"https:\/\/securingtomorrow.mcafee.com\/business\/security-connected\/thinking-outside-of-the-sandbox-mcafee-advanced-threat-defense-unveiled\">McAfee Advanced Threat Defense (MATD) <\/a>product line. (MATD integrates the antimalware engine, Global Threat Intelligence, and the Gateway antimalware engine to minimize the impact of threats entering a network. MATD features two detection approaches&#8211;based on behavior (dynamic sandboxing) and static code analysis&#8211;to detect previously unknown and well-disguised threats.) The following image shows the MATD administrator view of the behavior traces and the ASM code.<\/p>\n<p>Here is a preview of the MATD analysis report for this threat family. The backdoor component is classified as malicious after matching the static code against known malware family. The sandbox also reported suspicious behavior after dynamic execution.<\/p>\n<p>McAfee will continue to monitor new and similar threats. We advise users against opening any suspicious emails or links and to always adopt a layered defense for comprehensive protection.<\/p>\n<p>I thank my colleague Saravanan Mohankumar of the Advanced Threat Defense Group for his assistance.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This blog post was written by Rahul Mohandas. The current generation of targeted attacks are getting more sophisticated and evasive&#8230;.<\/p>\n","protected":false},"author":674,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,76,3923,4804,124,180,18],"coauthors":[3973],"class_list":["post-30043","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-cybercrime","tag-email-and-web-security","tag-focus","tag-global-threat-intelligence","tag-malware","tag-network-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Quarian Group Targets Victims With Spearphishing Attacks | McAfee Blog<\/title>\n<meta name=\"description\" content=\"This blog post was written by Rahul Mohandas. The current generation of targeted attacks are getting more sophisticated and evasive. These attacks employ\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Quarian Group Targets Victims With Spearphishing Attacks | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"This blog post was written by Rahul Mohandas. The current generation of targeted attacks are getting more sophisticated and evasive. These attacks employ\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/quarian-group-targets-victims-with-spearphishing-attacks\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2013-10-07T17:29:18+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-04T09:07:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/wp-content\/uploads\/01102013-attacktheme3.jpg\" \/>\n<meta name=\"author\" content=\"McAfee\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/quarian-group-targets-victims-with-spearphishing-attacks\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/quarian-group-targets-victims-with-spearphishing-attacks\/\"},\"author\":{\"name\":\"McAfee\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\"},\"headline\":\"Quarian Group Targets Victims With Spearphishing Attacks\",\"datePublished\":\"2013-10-07T17:29:18+00:00\",\"dateModified\":\"2025-06-04T09:07:47+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/quarian-group-targets-victims-with-spearphishing-attacks\/\"},\"wordCount\":507,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"keywords\":[\"computer security\",\"cybercrime\",\"email and web security\",\"FOCUS\",\"global threat intelligence\",\"malware\",\"network security\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/quarian-group-targets-victims-with-spearphishing-attacks\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/quarian-group-targets-victims-with-spearphishing-attacks\/\",\"name\":\"Quarian Group Targets Victims With Spearphishing Attacks | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"datePublished\":\"2013-10-07T17:29:18+00:00\",\"dateModified\":\"2025-06-04T09:07:47+00:00\",\"description\":\"This blog post was written by Rahul Mohandas. The current generation of targeted attacks are getting more sophisticated and evasive. These attacks employ\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/quarian-group-targets-victims-with-spearphishing-attacks\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/quarian-group-targets-victims-with-spearphishing-attacks\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/quarian-group-targets-victims-with-spearphishing-attacks\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Quarian Group Targets Victims With Spearphishing Attacks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\",\"name\":\"McAfee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"caption\":\"McAfee\"},\"description\":\"We're here to make life online safe and enjoyable for everyone.\",\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/x.com\/McAfee\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Quarian Group Targets Victims With Spearphishing Attacks | McAfee Blog","description":"This blog post was written by Rahul Mohandas. The current generation of targeted attacks are getting more sophisticated and evasive. These attacks employ","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Quarian Group Targets Victims With Spearphishing Attacks | McAfee Blog","og_description":"This blog post was written by Rahul Mohandas. The current generation of targeted attacks are getting more sophisticated and evasive. These attacks employ","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/quarian-group-targets-victims-with-spearphishing-attacks\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2013-10-07T17:29:18+00:00","article_modified_time":"2025-06-04T09:07:47+00:00","og_image":[{"url":"https:\/\/www.mcafee.com\/wp-content\/uploads\/01102013-attacktheme3.jpg","type":"","width":"","height":""}],"author":"McAfee","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/quarian-group-targets-victims-with-spearphishing-attacks\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/quarian-group-targets-victims-with-spearphishing-attacks\/"},"author":{"name":"McAfee","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa"},"headline":"Quarian Group Targets Victims With Spearphishing Attacks","datePublished":"2013-10-07T17:29:18+00:00","dateModified":"2025-06-04T09:07:47+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/quarian-group-targets-victims-with-spearphishing-attacks\/"},"wordCount":507,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"keywords":["computer security","cybercrime","email and web security","FOCUS","global threat intelligence","malware","network security"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/quarian-group-targets-victims-with-spearphishing-attacks\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/quarian-group-targets-victims-with-spearphishing-attacks\/","name":"Quarian Group Targets Victims With Spearphishing Attacks | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"datePublished":"2013-10-07T17:29:18+00:00","dateModified":"2025-06-04T09:07:47+00:00","description":"This blog post was written by Rahul Mohandas. The current generation of targeted attacks are getting more sophisticated and evasive. These attacks employ","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/quarian-group-targets-victims-with-spearphishing-attacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/quarian-group-targets-victims-with-spearphishing-attacks\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/quarian-group-targets-victims-with-spearphishing-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Quarian Group Targets Victims With Spearphishing Attacks"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa","name":"McAfee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","caption":"McAfee"},"description":"We're here to make life online safe and enjoyable for everyone.","sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/x.com\/McAfee"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/30043","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/674"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=30043"}],"version-history":[{"count":3,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/30043\/revisions"}],"predecessor-version":[{"id":215074,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/30043\/revisions\/215074"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=30043"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=30043"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=30043"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=30043"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}