Quarian Targeted-Attack Malware Evades Sandbox Detection

Last year, we blogged about the actor known as Quarian, who is involved in targeted attacks. This individual or group has been active since at least 2011 and has targeted government agencies. The attacks use spear phishing campaigns with crafted .pdf and .doc files as bait for unsuspecting users.

Recently, we found a new sample that has been detected by hardly any security vendor. The new sample is a modified version of the common binary with reinforcements to prevent its replication in a sandbox if executed without any parameters.

When the sample is run without command-line parameters, it checks its presence with the following key, and then exits if the key is not present. This AppID check was not present in the version of the malware identified last year.

  • HKCRAppID{A941329B-8B10-4060-BCEE-E323018DFFBB}

If the sample is run with a proper command-line parameter, however, it registers itself as a Type Library and Windows service.

Other enhancements include improved boot survival: Quarian registers itself as a Windows service, instead of as a Run entry in the previous version.

The new binary sample appears to have been compiled on March 20.

Quarian connects to the control server visitlink.dnsrd.com, which resolves to

Its commands remain the same as in the previous variant:

  • 0×1: Get host information–OS version, host name, IP address, username
  • 0×2: Exit control server functions
  • 0×3: Shut down the client
  • 0×4: Run a file, possible backdoor
  • 0×5: Obsolete, no longer used
  • 0X6: Remote shell–used to interactively run commands
  • 0X7: Extended control functions (FindFile, MoveFile, WriteFile, ReadFile, CreateProcess, DeleteFile)
  • 0X10: Write to “cf” file to define sleep time


Most sandboxes will fail to detect this variant of Quarian because it shows no behavior unless a command-line argument is passed to it or the AppID entry is present.

Even though the latest Quarian has many changes (create service, ATL, TypeLib), McAfee Advanced Threat Defense can detect it using our newly enhanced static code-analysis engine, a.k.a. family classification.

The family classification engine provides a unique advantage over sandboxes that rely only on behavior and static file properties to detect malware. The similarity factor in family classification indicates the extent of code changes against the original. With many targeted attacks using new and previously unknown evasion techniques, the family classification engine within Advanced Threat Defense provides a unique differentiator.

The post Quarian Targeted-Attack Malware Evades Sandbox Detection appeared first on McAfee.