close
Gartner Report:
Innovation Insight for
Security Orchestration,
Automation and Response DOWNLOAD NOW

Divide and Conquer: Unmasking China's 'Quarian' Campaigns Through Community

Summary:

In August and September, the ThreatConnect Research Team observed an increase in targeted attacks with a custom implant known as “Quarian.”  Based on links between current and historic activity, we are confident that it is a subset of a single Chinese Advanced Persistent Threat (APT) group using the implant and other previously observed tactics.  The focus of the attacks appears to be aimed at those involved with Syrian, broader Middle Eastern, and Islamic issues as previously observed from industry reporting.  This increase was also noted by McAfee-Labs in a blog from early October 2013. ThreatConnect Research took a focused look at the historic and recent Quarian activity to come to a few conclusions about the Quarian threat itself.

ThreatConnect Research assesses that the the increase in activity that lasted into September was due to the increased tensions over rumors of a US intervention against the Assad regime and the eventual agreement by Syria to put its chemical weapons under international control.  China has an ideological interest to maintain its policy of non-interference in sovereign nations affairs, a stance it often cites when accused of its own human rights violations, but remains highly interested in the evolving situation in Syria.  While the international attention on Syria has again taken a lull in recent weeks, the situation there has by no means been fully resolved, and neither has China’s interest in it.  If international tensions rise to the point of potential military intervention again, there will likely be increased Quarian activity in support of China’s intelligence requirements around the issue.

The Quarian operators have not varied their malware, infrastructure, or overall capabilities much since last year, which allows members of the ThreatConnect Communities to follow and collaborate together in an effort to better defend their respective enterprises from Quarian activity.  Despite the lull in Quarian reporting prior to last month, the group using the implant has quietly continued their operations, regardless of moderate to high antivirus (AV) detection and industry reporting.

Quarian activity was first publicly highlighted in late November 2012, by the Kaspersky Global Research & Analysis Team (GReAt), which issued a blog on Securelist that analyzed the attachment of a spearphishing email that had been pulled from a dump of Syrian Ministry of Foreign Affairs (MoFA) documents publicly released by the Anonymous collective.  The implant dubbed Quarian (or “Dougat”) by the AV community, was also reported by TrendMicro in a follow up blog as additional spearphishing emails and trojanized documents were discovered.  In a noteworthy example, one of these attempts targeted the US State Department.  The SourceFire Vulnerability Research Team (VRT) also followed up by publishing an analysis of Quarian’s custom command and control (C2) protocol.  Interest from the community eventually waned and published research of the Quarian threat slowed by 2013.

Quarian Targeting:

Although not exclusively the case, the theme of the trojanized documents focused mainly on Middle Eastern or Islamic diplomatic issues.  In the case of “Beware_of_the_shadows_behind_the_Syrian_issue_.doc“ (MD5: 4B39C6A453440D88B8397540EF54344C) the Quarian actors revisit the Syrian conflict theme.  The malicious document drops the implant "iexplorer.exe" (MD5: 458C1D3D3FFCFF137009404E235DF57C).  The content of the infected document is taken directly from an English version of the Chinese state run People’s Daily editorial located here.  Secondly, another document exploit “Sajjad Karim's statement on HR situation.doc” (MD5: C8E85628B0B656A467D2E6BD19AB2DE7), drops the implant "update.exe" (MD5: E1F509EC36E38ECAF0A9A064FE0D58CC).  Saijad Karim is a member of the European Parliament, elected in 2004 as its first British Muslim.  As noted, this European Union themed document indicates that the Quarian targeting activity is likely not directed against individuals and organizations with just Syrian or Middle Eastern interests but possible broader regional security interests.  Another exploit, “Top_10_striking_women_in_Asia.doc”, used the common lure of beautiful women to entice the would-be victim to open the document.  The following table shows all filenames from a few recent Quarian targeting campaigns.

figure_1Table 1. Quarian Document Exploits and Implants

Common Quarian Infrastructure:

Although multiple threat groups often have access to and use the same backdoors (because they are available publicly, commercially, or shared amongst threat groups) it is typically not sound analytic practice to link disparate activity together by looking at the malware alone.  One of the most practical applications of “The Diamond Model” - used as a guidepost within ThreatConnect intelligence research and analysis - is linking activity by more than one diamond vertex (e.g. malware to infrastructure, actor to malware, etc.).  In the case of recent Quarian activity, we can see clear linkages in both the current malware and the infrastructure to earlier identified campaigns.  This underscores the importance of tracking details and tactical indicators, identified in past events, to enable a proactive and preventative stance in the face of future targeted attacks.

Prior to the October McAfee Quarian blog, the ThreatConnect Community has seen fifteen unique samples, eleven since last August, all of which used the C2 infrastructure outlined in Table 2.  The compile times suggest five to six distinct targeting waves, with the earliest wave fitting the time frame of the original Kaspersky blog and the latest occurring in early September of this year.

Note that MD5: 3C7AD543E77E54DB95DB6D26B21159D8 is listed twice because it was dropped from two separate implanted documents Building_a_Relationship_with_Your_Children.doc and Top_10_striking_women_in_Asia_.doc.

table_2 Table 2: Compile times, Quarian Implants and associated C2 domains

The following malware analysis data within Table 2 was compiled from analysis results obtained with Joe Sandbox.  For more information about the Joe Sandbox please visit Joe Security.

Since early August, the domains referenced in Table 2 have resolved to the same handful of IP addresses as seen in Table 3 thus far:

figure_3Table 3. Quarian C2 IP Address Infrastructure and resolutions

In addition to the domains in Table 2, sureshreddy1.dns05[.]com, which was reported in last year’s Kaspersky blog, had previously resolved concurrently to several of these IP addresses.  The domain fouiskrish.ns01[.]info has previously resolved  to some of these IP addresses at the same time as those in Table 2.  The example of “DNS tracks” seen in Figure 1, compiled within ThreatConnect, also demonstrate how the C2 infrastructure from the Quarian samples consistently resolve to the same IP addresses.  This firmly establishes a common infrastructure usage connection across known samples of the Quarian backdoor.

141

Figure 1. 216.244.81.141 IP resolutions.

According to IP Whois data, three of these IP addresses 216.244.81[.]141, 216.176.190[.]197, and 216.176.190[.]205 are registered to a private customer through wowrack[.]com, a managed hosting provider (see figures 3 and 4 below).  The private customer appears to be located out of Dalian, China. The name ZHAOWEIWANG is associated with the network IP allocations. The resolutions to these networks began in mid-August and persisted through October and continue to publication.  The IP address 216.244.81[.]41 is associated to another apparent China located private wowrack[.]com customer, with the name ZHOUJUN associated with the IP address range.

fig_3n4

A similar pattern is seen with two more of the IP addresses, 50.117.123[.]108 and 50.117.120[.]112. These addresses were active some time prior to the resolution of the Wowrack IP addresses, from May to early September.  As is seen in Figures 5 and 6 below, these IPs are leased to a LiaoZhiBin, based in Shanghai, China through EGI Hosting.

fig_5n6

Note: This does not imply that any of the entities leasing these netblocks, or their hosting providers, are responsible or even aware of the malicious infrastructure resolving to their networks.

Another interesting piece of historic data concerning the resolutions of the sureshreddy1.dns05[.]com domain.  As evidenced in the Securelist blog post, this domain was resolving to IP addresses in the Beijing 123.120.0.0/16 netblock (ASN 4808).  More recently on September 23rd, the Quarian C2 domain everyday.xxuz[.]com also resolved to an IP in this netblock. This ASN / netblock is quite notorious for its association with suspected Chinese APT activity and has been previously related to the Mirage Campaign as well as domains found in our own Khaan Quest blog and another blog post from earlier this year.  It seems in this campaign that the actors have largely moved away from using the Beijing based IP ranges in favor of rotating through hosting providers for their “victim facing” C2 nodes.  Still, the historic use of these netblocks suggests the Quarian campaigns may be linked to a much broader set of related APT activity.

Exploits Leveraged:

The document used to target the Syrian MoFA leveraged an exploit for CVE-2010-0188 and was delivered on December 5th, 2011, nearly a year and a half after a fix was available.  The document that purportedly targeted the State Department was sent June 5th, 2012 and leveraged CVE-2010-3333.  This time the Quarian actors were only about seven months behind the patch, which may be considered a slight improvement in their initial targeting window.  ThreatConnect Research observed another CVE-2010-3333 attempt with MD5: 60fd5f5140ccfa4d838948c7ab0f4201 in April 2013.  However, in the most recent Quarian targeting, all documents leveraged CVE-2012-0158.  Considering the patch for CVE-2012-0158 was released in April 2012 with MS12-027, the Quarian actors are comfortable leveraging an exploit that was patched over a year ago.  As a disclaimer, we constantly observe multiple threat groups using CVE-2012-0158 exploits as it is currently a favored and reliable publicly known Office exploit.  What we can infer is that this APT group has the basic ability to leverage or acquire exploits for well-known and patched vulnerabilities.  Also, that they will continue targeting users with the minimal amount of effort that results in successful exploitation.  If the Quarian actors possess more agile timelines for leveraging newer or unknown (zero-day) exploits, they have not demonstrated it with the observed campaigns. ThreatConnect Research assesses the Quarian group’s demonstrated sophistication in leveraging new exploits as low based their observed patterns of activity.

Quarian Network Protocol Analysis:

The SourceFire VRT blog detailed an in-depth analysis of Quarian’s C2 protocol.  In the samples we analyzed, we noticed similar but slightly different behavior. As is detailed in both Securelist’s and VRT’s blogs, the malware checks for proxy settings and if present, sends a misspelled HTTP CONNECT request to the local proxy.  If there is no proxy configured, you will see a direct connection to the C2 server over TCP 443.   One difference noted was how the session XOR encryption key was established. In the VRT samples, each side used its own 8 Byte XOR key to obfuscate the commands and responses passed between them. With the samples obtained by ThreatConnect Research, the implant sent an 8 byte nonce, the C2 responded with a different 8 byte nonce, the implant XOR’ed the C2 key by its own key to establish a session key.  Both sides used the new session key to XOR the commands and responses passed between them.

The algorithm that the implant used to compute the session key is below:

for (i = 0 ; i < 8 ; i++) {

c = C2_nonce[i] ^ implant_nonce[i]

if (c == 0) c = ~i

session_key[i] = c

}

The implant_nonce is the initial 8 bytes sent by the implant and C2_nonce is the 8 bytes received from the C2. The algorithm prevented any 0 bytes from appearing in the session key, which would have otherwise allowed some cleartext data to pass unencoded over the network.  Data was encoded/decoded by XOR’ing each byte against the session key on a rotating basis, as expected.  However, it did not restart at the first byte of the key with every encoding.  The indexes of the last key byte used for encoding and for decoding were stored and then retrieved when it was time to encode/decode another packet.  The indexes were initialized to 0, and then never zeroed again during the life of the session, i.e. until a new session handshake was performed.

pcapFigure 7. PCAP of Quarian communication with controller

The variety of slightly different C2 protocols in the wild could show that the Quarian APT group was attempting to diversify its capabilities to help avoid detection.  However, the same easy to find proxy and mutex strings were still present in the newer malware, which would again suggest little concern was placed on public awareness of their malware and its network characteristics.

Conclusion:

China, along with Russia, has actively blocked U.N. Resolutions against Syria throughout the crisis from their seat on the U.N. Security Council.  While China’s interests are not as obvious as Russia’s with Syria, China and Syria maintain strong economic and military ties in existence prior to the crisis.  In terms of Quarian actors operational security, either their threshold for public attention is high or their ability to quickly adapt is low, demonstrated by their resistance to significant changes, despite multiple public reports detailing their malware and infrastructure.  Many of the characteristics of Quarian align with the textbook standard for other “China-nexus” APT groups (e.g. spearphishing emails for targeted exploit delivery, use of dynamic DNS services for C2 infrastructure, use of “good-enough” exploits to gain system and network access).  Keeping track of persistent network threats as they evolve, as we have done with the Quarian campaigns, is a repeatable process within ThreatConnect.

The following graphic (Figure 8) highlights the value of collaboration, threat intelligence sharing and fused perspective obtained from community reporting over time.  This extended visibility into a persistent threat group gives a shared awareness to network defense and enterprise security teams that need to protect themselves from this or any other persistent threat.

shared_perspective1

Figure 8.  Graphic representation of Quarian activity overlaid with ThreatConnect Research and AV industry reporting. (Click image for better resolution)

Our ongoing and dynamic analyses of the various Quarian implants have all been shared within the exclusive ThreatConnect Subscriber Community as they were discovered, packaged nicely with exportable indicators and signatures. For more information about moderated subscriber communities please click here or contact us with any questions.

With the publication of this blog, the Threat "QUARIAN APT"  and the following ThreatConnect Incidents have now been shared system wide to all public and private ThreatConnect Communities along with Snort and Yara signatures that detect the observed version of the Quarian implant.

If your organization is interested in obtaining regular crowd-sourced threat intelligence that increases your awareness of existing or emerging threats like Quarian, please register at ThreatConnect, join our communities or create your own, connect and collaborate together.

ABOUT THE AUTHOR

The ThreatConnect Research Team: is an elite group of globally-acknowledged cybersecurity experts, dedicated to tracking down existing and emerging cyber threats. We scrutinize trends, technology and socio-political motivators to develop comprehensive knowledge of the cyber landscape. Then, we share what we’ve learned so that you can protect your organization, and your team can take precise action against threats.