{ "id": "4db5b086-f9cb-4803-8753-cb2724a19d8c", "created_at": "2026-04-06T00:11:42.210502Z", "updated_at": "2026-04-10T03:37:54.362882Z", "deleted_at": null, "sha1_hash": "37975b58c77948d4226623e075b56a5417d8019d", "title": "Quarians, Turians and…QuickHeal", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 7157365, "plain_text": "Quarians, Turians and…QuickHeal\r\nBy asuna amawaka\r\nPublished: 2021-08-29 · Archived: 2026-04-05 21:35:26 UTC\r\n14 min read\r\nAug 29, 2021\r\nI know, that third name in the title didn’t quite fit into the “Mass Effect” bucket. But hey, I was not the one who\r\nnamed this malware family ;)\r\nA month or so ago, I took notice of a set of malware identified as “QuickHeal”, and I thought of looking into\r\nresearching it. Turned out to be a pretty interesting piece of work I started. I found resemblances between\r\nQuickHeal and a malware detailed by ESET (1) dubbed as Turian. And this malware seemed to have been\r\nassociated with many threat actors e.g. Nomad Panda, APT15, RedFoxTrot — all of which has somewhat similar\r\nvictimology. Does that mean these groups are related somehow? Or perhaps they are in fact the same group that\r\nwent by a different name to various security companies?\r\nI’m going to share my findings on QuickHeal and its variants, hopefully someone out there finds it useful. And of\r\ncourse, I’ll be happy to chat on Twitter :)\r\nThe samples analyzed:\r\nPress enter or click to view image in full size\r\nMy starting point was the sample with hash\r\nC6B84755AF54768C0B8676CB6551DF1A29B4DFDDB04FAF4BBF7AE3E6DC3636E2.\r\nThis sample was identified as “QuickHeal” by FireEye researcher Ashley Shen in her “Return of IceFog APT”\r\npresentation in 2019. I analyzed this file in 2019, along with another sample I took notice from the presentation\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 1 of 42\n\n(FunRun, analysis of it here: https://medium.com/insomniacs/analysis-walkthrough-fun-clientrun-part-1-\r\nb2509344ebe6)\r\nThen recently, I found other samples that resembled QuickHeal which led to digging up many more other files.\r\nCoincidentally, I managed to get at least 1 sample with compilation year from 2012–2021. This allowed some\r\ncomparison of features’ development across the years.\r\nA common feature: Faking SSL traffic\r\nThis family of malware is sneaky! Its communications are made up of XOR-encrypted data that comes prepended\r\nwith TLS/SSL header (I’m just going to refer to the protocol generally as SSL, the intricate differences doesn’t\r\nreally matter since the malware just faked it). Network defenses would not suspect anything and allow these data\r\nto strut through port 443. Even if there is content inspection done by perimeter appliances, these traffic will not be\r\ndecrypted properly like standard SSL. To make things even more believable, QuickHeal’s communications\r\nprotocol even involve a SSL-like handshake procedure to exchange the XOR key with the C2. Let’s take a deep\r\nlook at the protocol:\r\n1 — Prepare and send “Client Hello”\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 2 of 42\n\nFigure 1 Hardcoded SSL header seen within\r\nc6b84755af54768c0b8676cb6551df1a29b4dfddb04faf4bbf7ae3e6dc3636e2\r\nThe malware hardcodes a SSL header within itself, and generates random values at runtime that overwrites part of\r\nthis header to give the impression of a real SSL handshake.\r\nIn the example shown in the screenshot above, 0x34 bytes of “Client Hello” header is loaded, and 0x1C bytes\r\nstarting from offset 0xF of this header is replaced with random values (strictly speaking, the original values are\r\nXORed with random values). This header is then sent to the C2.\r\nA breakdown of the hardcoded header shows that it follows the definition of SSL Client Hello structure:\r\nFigure 2 breakdown of header structure using hardcoded value from\r\nc6b84755af54768c0b8676cb6551df1a29b4dfddb04faf4bbf7ae3e6dc3636e2\r\nHere is another example of hardcoded header in a different sample:\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 3 of 42\n\nFigure 3 Hardcoded SSL header seen within\r\n727093e220e39f73b341acf9cc5bff2c4fa727013173bdf4afac3e81399139e0\r\nFigure 4 breakdown of header structure using hardcoded value from\r\n727093e220e39f73b341acf9cc5bff2c4fa727013173bdf4afac3e81399139e0\r\n2 — Receive response from Server\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 4 of 42\n\nFigure 5 disassembly snippet on first 5 bytes of data expected to be received in response to “Client\r\nHello”, from 271d4b9ee4d563953f41193c98a6687418166b96185e8b87052863f0ae705048\r\nThe malware then expects to receive a response from the C2 server that would start with the byte “16”, followed\r\nby 2 bytes of length information in the 4th and 5th position, exactly like a standard SSL server response:\r\nThe length is read (ntoh) and checked to be smaller or equal to 0x3FF9. The malware then proceeds to continue to\r\nreceive that number of bytes from the server, 1 byte at a time. The content received is not checked by the malware.\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 5 of 42\n\nFigure 6 disassembly snippet on rest of data expected to be received in response to “Client Hello”,\r\nfrom 271d4b9ee4d563953f41193c98a6687418166b96185e8b87052863f0ae705048\r\n3 — Prepare and send “Client Key Exchange”\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 6 of 42\n\nFigure 7 disassembly snippet on next part of handshake sent to C2, from\r\n271d4b9ee4d563953f41193c98a6687418166b96185e8b87052863f0ae705048\r\nAfter all expected bytes have been received from the server, the malware then replaces bytes at 3 locations within\r\nanother hardcoded SSL-like data with random values. One of these random values is to be used to derive XOR\r\nkey after an exchange with the C2 server. The structure breakdown is as follows:\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 7 of 42\n\nFigure 8 breakdown of next header structure using hardcoded value from\r\n271d4b9ee4d563953f41193c98a6687418166b96185e8b87052863f0ae705048\r\nHere is an example from another sample:\r\nFigure 9 breakdown of next header structure using hardcoded value from\r\nd014bf062872eb8ba138bf3a70f96cdcf90f6bae7369e62971821e0ddbd2cc5f\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 8 of 42\n\nFigure 10 disassembly snippet on generating malware-side random value to form final XOR key for\r\ncommunications, from\r\n271d4b9ee4d563953f41193c98a6687418166b96185e8b87052863f0ae705048\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 9 of 42\n\nThe 28 bytes of malware-side value(client key) is generated within a function during the malware initialization\r\nstage. This client key is used with the 28 bytes (server key) received from the C2 server to derive the final XOR\r\nkey used to XOR-encrypt subsequent communications between the malware and the C2, where the encrypted is\r\nappended to the SSL Application Data header to pass off as standard SSL communications.\r\n4 — Receive response from Server\r\nThe expected response from the server comes in 2 parts:\r\nFirst the malware receives 5 bytes, check that it begins with 0x14, check for the length (just like before), and\r\ncontinue to receive the remaining bytes (the contents are not checked);\r\nThe second part expected contains important content. The malware also starts with receiving 5 bytes, check that it\r\nbegins with 0x16, and then check the length of data to receive, followed by receiving the rest of the data. This data\r\ncontains the server key, and along with the earlier generated client key, the final communications’ XOR key is\r\nderived in an algorithm as such:\r\nFigure 11 decompiled function from\r\n271d4b9ee4d563953f41193c98a6687418166b96185e8b87052863f0ae705048\r\nThe above 4 steps that I’ve describe correspond (sort of, with some length differences) with a diagram from ESET,\r\nwhich was how I was able to correlate the QuickHeal sample that I had started with, to the Turian malware.\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 10 of 42\n\nCredits: ESET\r\nAliens, aliens everywhere: Comparison analysis\r\nI’ve checked across all the samples and found similar fake SSL handshake exchange. There are some changes in\r\nthe samples as the years go by. For example…\r\nThe final XOR key\r\nThe algorithm to derive the final XOR key differs slightly between the oldest sample (compiled 2012) and the\r\nnewer ones. The keylength is also different — used to be 8 bytes, and latest sample we are seeing 28 bytes keys.\r\nHere’s how the function that derives the final XOR key differs:\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 11 of 42\n\nFigure 12 comparing 0ae045cad78021e0772ee49c1c135091bc64a91c8e940e3746785603178a10f6\r\nand 271d4b9ee4d563953f41193c98a6687418166b96185e8b87052863f0ae705048\r\nThe 8-bytes XOR key derivation within the 2012 sample has been documented by Cisco Talos (2).\r\nI tried to compare across all the samples and found one interesting observation. The 8 bytes key was replaced with\r\n28 bytes from 2013 onwards. But one particular sample compiled in 2020 also used 8 bytes key. And I found that\r\nthe 2012 sample and 2020 sample are of the same variant (with similar command IDs supported). More on this\r\nlater. Based on VirusTotal’s submission information, this sample was uploaded by a user in China on 15 Jul 2021.\r\nIs this a test sample uploaded by the malware author or operator?\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 12 of 42\n\nFigure 13 compare get_final_xorkey from samples across the years\r\nA more believable handshake\r\nThe “SSL” handshake observed within the 2012 sample is much shorter (only 1 send and 1 receive involved) than\r\nthe later samples.\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 13 of 42\n\nFigure 14 disassembly snippet on simple handshake, from\r\n0ae045cad78021e0772ee49c1c135091bc64a91c8e940e3746785603178a10f6\r\nAnother interesting observation when doing comparison between 2012 sample and 2020 sample — the “SSL”\r\nhandshake process in the 2020 sample is the “better” one (or at least, bear closer resemblance to the real SSL\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 14 of 42\n\nhandshake). However, when examining the shape of the graph, it still looks different from the other samples. So it\r\nis not the case of simply recompiling old code. From Figure 15, notice how the 2021 sample’s graph for the same\r\nfunction also changed from earlier samples. Suggests that this malware family is still under active development.\r\nPress enter or click to view image in full size\r\nFigure 15 compare graphs of “SSL” handshake process across all samples\r\nC2 configuration\r\nI will go through each sample by the years, to see how the “evolution” happened for how the malware handles its\r\nC2 configuration.\r\nIn the 2012 sample, the C2 configuration is embedded within the code in the form of a singlebyte XOR-encoded\r\nstring:\r\nFigure 16 disassembly snippet on reading C2 data, from\r\n0ae045cad78021e0772ee49c1c135091bc64a91c8e940e3746785603178a10f6\r\nThe decryption algorithm is as follows, where the XOR key value is incremented starting with 0x38.\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 15 of 42\n\nFigure 17 disassembly snippet on decrypting C2 string, from\r\n0ae045cad78021e0772ee49c1c135091bc64a91c8e940e3746785603178a10f6\r\nHere’s a quick python snippet to decrypt the C2 address:\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 16 of 42\n\nThe algorithm found in the 2013 and 2015 samples is slightly different from the above.\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 17 of 42\n\nFigure 18 disassembly snippet on reading C2 data, from\r\n836f7cf5190efd313cad36acd794c19b199d6d1807675d453eedf270116a12ee\r\nFigure 19 disassembly snippet on reading C2 data, from\r\na3a7faa58dac9b5d3e4640df62cce2d41605d5d43153630b796cb53fcd19a6ff\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 18 of 42\n\nFigure 20 disassembly snippet on decrypting C2 string, from\r\n836f7cf5190efd313cad36acd794c19b199d6d1807675d453eedf270116a12ee\r\nIn the 2014 sample, there are no encrypted C2 addresses — we are able to see the configuration in plain. The\r\nmalware writes a secondary set of configuration information into an .ini file (the ini filename follows the\r\nmalware’s filename). The configuration information written include: the secondary C2 IP address, port number,\r\nusername and password.\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 19 of 42\n\nThe malware will first try to establish connection with the primary C2 address, if that fails, then it will read proxy\r\nsettings from the victim machine and try again. If that still fails, then it proceeds to read the ini file for the\r\nsecondary C2 configuration and try connection with that second address.\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 20 of 42\n\nFigure 21 disassembly snippet on reading C2 data, from\r\n3af4f3a9a0210a1021d01b18b623367699bab6273fb42d2f028c1600ecda3ddb\r\nC2 configuration in 2016 sample is also not encrypted.\r\nFigure 22 disassembly snippet on reading C2 data, from\r\n727093e220e39f73b341acf9cc5bff2c4fa727013173bdf4afac3e81399139e0\r\n2016 sample is a nice sample to reverse engineer, because it comes with many debugging comments :D I’ll show\r\nsome of these in the next section, when I talk about the RAT features.\r\nThe 2017 sample’s C2 configuration is also in plain, and looks similar to what was found in the 2015 sample.\r\nHowever there is no “.ini” file being used in here.\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 21 of 42\n\nFigure 23 disassembly snippet on reading C2 data, from\r\nc6b84755af54768c0b8676cb6551df1a29b4dfddb04faf4bbf7ae3e6dc3636e2\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 22 of 42\n\nThe 2018 sample is worth taking a good look at — it comes with RTTI, so we can see helpful names which helps\r\nus to understand the other samples as well :D Let’s see how it stores its C2 configuration — no encryption, and\r\nlooks similar to the earlier samples.\r\nFigure 24 disassembly snippet on reading C2 data, from\r\naa5a313d1f0cbbf6900e55a16a6737068d9d8831a7ad49b285d5796aa589036a\r\nI have 2 samples which are compiled in 2019. Previously, we have noticed that the function graphs of “SSL”\r\nhandshake as well as the derivation of final XOR key differ in these two samples. Here, we see that the C2\r\nconfiguration function in both samples are identical. Seems to suggest that there is one source code shared\r\nbetween the two binaries, yet each has its own changes.\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 23 of 42\n\nFigure 25 disassembly snippet on reading C2 data, from\r\n7bb281fb5bce830c60610c4b75bd024ccb9b18f8e38f7ad9991259071eeb0350\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 24 of 42\n\nFigure 26 disassembly snippet on reading C2 data, from\r\n271d4b9ee4d563953f41193c98a6687418166b96185e8b87052863f0ae705048\r\nNotice how the functions in these samples so far sort-of resemble one another, despite the differences in how the\r\nC2 strings are being read. This changed in the sample compiled in 2020.\r\nIn the 2020 sample, the C2 configuration and the function that handles the startup of the malware is vastly\r\ndifferent from the earlier samples. There was also an attempt to look for a running process named “cvnjmpcp.exe”\r\nwhich I would think is the name of the malware process (so this is to ensure there is only 1 instance of malware\r\nexecuting on the victim).\r\nThere is a loopback address found in plain. There is also a “fallback” encrypted C2 address, but this secondary C2\r\naddress is not found alongside the loopback address within the function unlike earlier samples.\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 25 of 42\n\nFigure 27 disassembly snippet on decrypting secondary C2 address, from\r\nd014bf062872eb8ba138bf3a70f96cdcf90f6bae7369e62971821e0ddbd2cc5f\r\nThe secondary C2 address is found when following the malware’s attempts to connect to the C2.\r\nThe decryption algorithm is also different from earlier samples (2012, 2013 and 2015). Although it is also a XOR-decryption, but the XOR key used is not a simple incremented counter.\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 26 of 42\n\nFigure 28 disassembly snippet on C2 string’s decryption function, from\r\nd014bf062872eb8ba138bf3a70f96cdcf90f6bae7369e62971821e0ddbd2cc5f\r\nHere’s a python snippet to decrypt the C2 string for this sample:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 27 of 42\n\nThere are also additional configuration and log files being used by the malware, named “cf” and “the.db”\r\nrespectively.\r\nFigure 29 disassembly snippet on writing error message into “the.db” file, from\r\nd014bf062872eb8ba138bf3a70f96cdcf90f6bae7369e62971821e0ddbd2cc5f\r\nThe configuration file only seems to contain a 4 byte value that is used as sleep interval. In earlier samples, this\r\nconfiguration file would be named “.ini” and contain C2 information as well. This is yet another change found\r\nwithin this sample.\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 28 of 42\n\nFigure 30 disassembly snippet on reading sleep interval from “cf” file, from\r\nd014bf062872eb8ba138bf3a70f96cdcf90f6bae7369e62971821e0ddbd2cc5f\r\nThe latest sample compiled in 2021 contains C2 configuration decrypted in a different manner as the previous\r\nsamples. The XOR key used is an incremented counter XORed with the value 0x7E (previously the key used was\r\nan incremented counter added to a fixed value). The way that the encrypted string is being stored and used within\r\nthe code is a little different from the other samples. These changes suggest that there is an effort from the\r\nadversary to keep changing the binary (especially in recent years) in attempt to make reverse engineering less\r\nconvenient. It may also not be a deliberate effort, but an unintended side effect due to different teams editing and\r\nrecompiling the malware (stemmed from the same source code).\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 29 of 42\n\nFigure 31 disassembly snippet on decrypting C2 string, from\r\ne4fdb279a4792ad516592076ce9a6a40c803af84bcc2e2e4f9ee48df6af9e88b\r\nPersistency Mechanism\r\nGet asuna amawaka’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe code for setting persistency also changed across the years:\r\nIn the earliest sample, the approach is to directly set the Run regkey:\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 30 of 42\n\nFigure 32 decompiled snippet on modifications to registry values, from\r\n836f7cf5190efd313cad36acd794c19b199d6d1807675d453eedf270116a12ee\r\nLater on, the malware does the Run regkey insertion and removal through the use of a .bat file:\r\nFigure 33 decompiled snippet on writing commands to modify registry values to bat file, from\r\n3af4f3a9a0210a1021d01b18b623367699bab6273fb42d2f028c1600ecda3ddb\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 31 of 42\n\nThe malware also seems to like using a mix of upper and lowercase letters to be written into the bat file, possibly\r\nto avoid string matching detections (but ironically made it possible for us to write YARA rules for them).\r\nPress enter or click to view image in full size\r\nFigure 34 disassembly snippet on hardcoded commands used to modify registry key, from\r\na3a7faa58dac9b5d3e4640df62cce2d41605d5d43153630b796cb53fcd19a6ff\r\nHere’s where the roads diverge: The commands / RAT features\r\nWhile the network-related functions are almost the same, and the other features that I compared suggested minor\r\nchanges to the code, the command IDs accepted by the RAT can be used to clearly classified into 2 variants\r\n(though the actual features are more or less the same). I’m not exactly sure how the community now differentiates\r\n“Quarian” and “Turian”, and I’m not going to contribute more confusing names to this set of malware. They shall\r\njust be QuickHeal variants to me.. I’m more than happy to chat about this, drop me a DM on Twitter :)\r\nI was able to figure out the command IDs being accepted by the malware, based on the big switch table found that\r\nhandles data received from the C2 server. Here’s the breakdown of command IDs:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 32 of 42\n\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 33 of 42\n\nPress enter or click to view image in full size\r\nTwo of the samples (compiled in 2016 and 2018) made understanding the other samples much easier with RTTI\r\nand debugging strings compiled into the binaries :)\r\nSome of the debugging strings (printed via OutputDebugString) within the 2016 sample are:\r\n· [%08X]: CClient::Connect(%S:%d)…\r\n· [%08X]: CProtocolClient::ShakeHands() OK\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 34 of 42\n\n· [%08X]: CProtocolClient::Connect() OK\r\nThe malware refers to the function that performs the fake SSL handshake as “ShakeHands”. Cute.\r\nPress enter or click to view image in full size\r\nFigure 35 disassembly snippet showing debugging strings to denote status of connection to C2 and\r\nfake SSL handshake, from\r\n727093e220e39f73b341acf9cc5bff2c4fa727013173bdf4afac3e81399139e0\r\nThe 2018 sample comes compiled with RTTI. The classes in the malware are:\r\n· CClient\r\n· CProtocolClient\r\n· CNetwork\r\n· CCrypt\r\n· ProxyOperation\r\n· TransferParam\r\nNotice how some of these class names were also in the 2016 sample (within the debugging strings).\r\nIf you’re interested, here are details of how the set of Command IDs in each sample are different from one\r\nanother.\r\n2012 Sample\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 35 of 42\n\nVictim information collected includes:\r\nOS Version\r\nMemory\r\nHostname\r\nIP address\r\nUsername\r\n2013/2014 Samples\r\nThe overlapped commands e.g. file-related commands, look very much like in the 2012 sample, though the\r\ncommand IDs changed.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 36 of 42\n\nVictim information collected includes:\r\nOS Version\r\nMemory\r\nHostname\r\nIP address\r\nUsername\r\nMalware configuration (C2 addresses, ports, username, password)\r\n2015 Sample\r\nThe command IDs look similar to the 2013/2014 samples. The differences/improvements are:\r\n1 new command ID supported 0x100 that serves as a server heartbeat\r\n1 new command ID supported 0x800 that gives the ability to update the C2 address\r\nchange in 0x600 that turned it into a dedicated malware removal command\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 37 of 42\n\n2016 Sample\r\nPress enter or click to view image in full size\r\nVictim information collected includes:\r\nOS Version\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 38 of 42\n\nMemory\r\nHostname\r\nIP address\r\nUsername\r\nComputer role (acronyms used within data sent to C2)\r\no Standalone Workstation — [WW]\r\no Domain Workstation — [DW]\r\no Standalone Server — [WS]\r\no Domain Server — [DS]\r\no Domain Backup Controller — [DC]\r\no Domain Primary Controller — [DP]\r\no Unknown — [UK]\r\nMalware configuration (C2 addresses, ports, username, password)\r\n2017 Sample\r\nThis sample’s command IDs look very much like the ones found in 2015 sample. It comes with the set/unset Run\r\nregkey in command 0x600 and the close connection command in 0x400 (I’m not sure why there are 2 command\r\nIDs that does connection closure). The ability to update C2 address with command ID 0x800 is gone in this\r\nvariant.\r\nPress enter or click to view image in full size\r\n2018 Sample\r\nThis sample introduced 2 major features as an improvement from earlier samples of the same variant:\r\nCommand ID 0x5 which starts interactive shell\r\nCommand ID 0x6 which starts a relay between newly defined sockets and the C2\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 39 of 42\n\nPress enter or click to view image in full size\r\n2019 Sample\r\nThe samples compiled in 2019 are different from the others: the command IDs/RAT features seem to be minimal.\r\nNevertheless, the code overlaps within the implementation of these features remain to be seen, so I’m still certain\r\nthese are QuickHeal variants.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 40 of 42\n\n2020 Sample\r\nThe sample that was compiled in 2020 bear strong resemblances to the sample compiled in 2012. The only\r\ndifference in the command IDs supported is that 0x4 will now terminate the malware instead of doing nothing.\r\n2021 Sample\r\nThis latest sample has command ID 0x600 “removed”, otherwise all the other command IDs and implementations\r\nare identical to the 2018 sample.\r\nLast Words\r\nAs I lack the telemetry on the victims receiving these malware, I’m not able to provide further insights on whether\r\nthese samples are different because they are used on different geographical campaigns (and thus edited by\r\ndifferent operators), or because there are many versions of QuickHeal builder (which was improved over the\r\nyears). I can almost guess that there is some sort of a “checkbox” that the user can click on to select Command\r\nIDs (features) to be compiled into the binary. Really would be interesting if there can be more information\r\navailable :)\r\n===\r\nHashes analyzed in this post:\r\n0AE045CAD78021E0772EE49C1C135091BC64A91C8E940E3746785603178A10F6\r\n836F7CF5190EFD313CAD36ACD794C19B199D6D1807675D453EEDF270116A12EE\r\n3AF4F3A9A0210A1021D01B18B623367699BAB6273FB42D2F028C1600ECDA3DDB\r\nA3A7FAA58DAC9B5D3E4640DF62CCE2D41605D5D43153630B796CB53FCD19A6FF\r\n727093E220E39F73B341ACF9CC5BFF2C4FA727013173BDF4AFAC3E81399139E0\r\nC6B84755AF54768C0B8676CB6551DF1A29B4DFDDB04FAF4BBF7AE3E6DC3636E2\r\nAA5A313D1F0CBBF6900E55A16A6737068D9D8831A7AD49B285D5796AA589036A\r\n7BB281FB5BCE830C60610C4B75BD024CCB9B18F8E38F7AD9991259071EEB0350\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 41 of 42\n\n271D4B9EE4D563953F41193C98A6687418166B96185E8B87052863F0AE705048\r\nD014BF062872EB8BA138BF3A70F96CDCF90F6BAE7369E62971821E0DDBD2CC5F\r\nE4FDB279A4792AD516592076CE9A6A40C803AF84BCC2E2E4F9EE48DF6AF9E88B\r\n===\r\n[1] BackdoorDiplomacy: Upgrading from Quarian to Turian\r\n[2] Quarian: Reversing the C\u0026C Protocol\r\n~~\r\nAsuna | https://twitter.com/AsunaAmawaka\r\nSource: https://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nhttps://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42\r\nPage 42 of 42\n\n https://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42 \nFigure 17 disassembly snippet on decrypting C2 string, from\n0ae045cad78021e0772ee49c1c135091bc64a91c8e940e3746785603178a10f6 \nHere’s a quick python snippet to decrypt the C2 address:\n Page 16 of 42", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42" ], "report_names": [ "quarians-turians-and-quickheal-670b24523b42" ], "threat_actors": [ { "id": "709ceea7-db99-405e-b5a7-a159e6c307e0", "created_at": "2022-10-25T16:07:23.373699Z", "updated_at": "2026-04-10T02:00:04.571971Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [], "source_name": "ETDA:BackdoorDiplomacy", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "3b56d733-88da-4394-b150-d87680ce67e4", "created_at": "2023-01-06T13:46:39.287189Z", "updated_at": "2026-04-10T02:00:03.274816Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [ "BackDip", "CloudComputating", "Quarian" ], "source_name": "MISPGALAXY:BackdoorDiplomacy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "c09dd7ba-3b6c-4a02-9ae6-949b0afc0b16", "created_at": "2023-01-06T13:46:38.907191Z", "updated_at": "2026-04-10T02:00:03.141637Z", "deleted_at": null, "main_name": "NOMAD PANDA", "aliases": [], "source_name": "MISPGALAXY:NOMAD PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5d9dfc61-6138-497a-b9da-33885539f19c", "created_at": "2022-10-25T16:07:23.720008Z", "updated_at": "2026-04-10T02:00:04.726002Z", "deleted_at": null, "main_name": "Icefog", "aliases": [ "ATK 23", "Dagger Panda", "Icefog", "Red Wendigo" ], "source_name": "ETDA:Icefog", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Dagger Three", "Fucobha", "Icefog", "Javafog", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "401a2035-ed5a-4795-8e37-8b7465484751", "created_at": "2022-10-25T15:50:23.616232Z", "updated_at": "2026-04-10T02:00:05.304705Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [ "BackdoorDiplomacy" ], "source_name": "MITRE:BackdoorDiplomacy", "tools": [ "Turian", "China Chopper", "Mimikatz", "NBTscan", "QuasarRAT" ], "source_id": "MITRE", "reports": null }, { "id": "bbb1ee4e-bbe9-44de-8f46-8e7fec09f695", "created_at": "2022-10-25T16:07:24.120424Z", "updated_at": "2026-04-10T02:00:04.871598Z", "deleted_at": null, "main_name": "RedFoxtrot", "aliases": [ "Moshen Dragon", "Nomad Panda", "TEMP.Trident" ], "source_name": "ETDA:RedFoxtrot", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "Fucobha", "GUNTERS", "Gen:Trojan.Heur.PT", "Icefog", "Impacket", "Kaba", "Korplug", "PCShare", "POISONPLUG.SHADOW", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "Sogu", "TIGERPLUG", "TVT", "Thoper", "XShellGhost", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434302, "ts_updated_at": 1775792274, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/37975b58c77948d4226623e075b56a5417d8019d.pdf", "text": "https://archive.orkl.eu/37975b58c77948d4226623e075b56a5417d8019d.txt", "img": "https://archive.orkl.eu/37975b58c77948d4226623e075b56a5417d8019d.jpg" } }