Quickheal (Backdoor) – Malware

Overview

Quickheal malware, a sophisticated and highly targeted threat, has garnered attention within cybersecurity circles due to its association with advanced persistent threat (APT) groups and its strategic deployment in espionage campaigns. Named after the legitimate software it disguises itself with, Quickheal malware has been used in a series of high-profile attacks, primarily targeting telecommunications operators and other critical sectors. The malware’s ability to evade detection and execute complex operations has made it a significant concern for security professionals worldwide.

Quickheal malware’s operational methodology involves intricate obfuscation techniques and stealthy communication strategies. It typically enters target systems through sophisticated methods such as exploiting software vulnerabilities or using social engineering tactics to trick users into executing malicious payloads. Once installed, Quickheal establishes a foothold by deploying various backdoor functionalities that allow it to maintain persistence and gain elevated privileges within the compromised environment.

The malware’s primary functionality includes credential theft, data exfiltration, and system reconnaissance. Quickheal is designed to capture sensitive information such as login credentials and other authentication tokens, which are then used to broaden the attacker’s access or pivot to additional systems within the network. The stolen data is exfiltrated via encrypted communication channels, minimizing the risk of detection by conventional security tools.

Targets

Information.

How they operate

Initial Access and Exploitation

The operational lifecycle of Quickheal malware often begins with exploiting vulnerabilities in public-facing applications. By targeting known weaknesses in systems accessible via the internet, Quickheal gains initial access. This approach allows the malware to establish a foothold within the network, often leveraging zero-day vulnerabilities to avoid detection. Once access is achieved, Quickheal establishes its presence and begins its campaign of infiltration.

Persistence and Privilege Escalation

To ensure its longevity on an infected system, Quickheal employs persistence techniques such as modifying registry run keys or creating startup folder entries. These methods ensure that the malware executes each time the system reboots, maintaining a continuous presence. Concurrently, Quickheal may attempt to escalate its privileges using known exploits. By exploiting vulnerabilities for privilege escalation, the malware can gain elevated permissions, allowing it to perform more intrusive operations and evade detection more effectively.

Defense Evasion and Obfuscation

Quickheal employs advanced defense evasion techniques to avoid detection by security solutions. The malware utilizes file obfuscation methods, such as encryption and packing, to obscure its code and make analysis difficult. Additionally, it may use binary padding to further complicate detection efforts. These techniques are designed to disguise the malware’s presence and reduce the likelihood of discovery by traditional security measures.

Credential Access and Discovery

A core component of Quickheal’s operations involves credential access. The malware can perform credential dumping to extract sensitive information from compromised systems, such as user credentials and authentication tokens. This data is critical for further infiltration and lateral movement within the network. Quickheal also engages in network service scanning and system information discovery to gather intelligence about the target environment. By mapping out network services and system configurations, the malware identifies additional opportunities for exploitation.

Lateral Movement and Exfiltration

Quickheal’s capabilities extend to lateral movement within the network. It often exploits the Remote Desktop Protocol (RDP) to move across systems, establishing connections to other machines within the network. This lateral movement allows Quickheal to expand its reach and access valuable data across multiple systems. Data collection and staging are key components of its exfiltration strategy. Quickheal collects and prepares data for extraction, minimizing the risk of detection and ensuring that the exfiltrated data is valuable and actionable.

Command and Control Communication

Finally, Quickheal communicates with its command and control (C2) servers to receive instructions and exfiltrate data. The malware uses encrypted channels, often over HTTPS, to mask its communications and blend with legitimate web traffic. This encryption helps to evade network monitoring and ensures that the malware’s activities remain covert.

MITRE Tactics and Techniques

Initial Access (TA0001)

Exploitation of Public-Facing Applications (T1190): Quickheal malware often exploits vulnerabilities in publicly accessible applications to gain initial access.

Persistence (TA0003)

Registry Run Keys / Startup Folder (T1060): The malware may modify registry keys or create startup folders to ensure it runs upon system reboot.

Privilege Escalation (TA0004)

Exploitation for Privilege Escalation (T1068): Quickheal can exploit vulnerabilities to gain elevated privileges on the target system.

Defense Evasion (TA0005)

Obfuscated Files or Information (T1027): The malware uses various obfuscation techniques to hide its presence from security tools.
Binary Padding (T1009): It may use binary padding to make its executable files more challenging to detect and analyze.

Credential Access (TA0006)

Credential Dumping (T1003): Quickheal is capable of dumping credentials from memory or other storage to gain further access.

Discovery (TA0007)

Network Service Scanning (T1046): The malware performs network scanning to discover additional systems or services within the target network.
System Information Discovery (T1082): It gathers information about the system to identify valuable data or weak points.

Lateral Movement (TA0008)

Remote Desktop Protocol (RDP) (T1076): Quickheal can exploit RDP to move laterally across the network.

Collection (TA0009)

Data Staged (T1074): It stages collected data before exfiltration to minimize detection and prepare for extraction.

Exfiltration (TA0010)

Exfiltration Over C2 Channel (T1041): Quickheal exfiltrates data using encrypted channels to communicate with its command and control servers.

Command and Control (TA0011)

Command and Control Over HTTPS (T1071.001): The malware uses HTTPS to hide its command and control communications, blending with legitimate web traffic.

References:

• Symantec warns of espionage campaign by Chinese Intelligence targeting Asian telecom operators