Diving Into Quasar RAT: TTPs, IoCs and more

Introduction

Quasar, crafted in the C# programming language, is a publicly accessible and open-source Remote Access Trojan (RAT) designed for Microsoft Windows operating systems (OSs). This creation comes courtesy of the GitHub user MaxXor and resides as a publicly hosted repository on GitHub. While its utility extends to legitimate applications like enabling remote assistance from an organization’s helpdesk technician, Quasar is being exploited by APT actors for cybercrime and cyber espionage endeavors.

The core architecture of Quasar RAT comprises two essential components: the server-side and the client-side. The server-side boasts a user-friendly graphical interface that empowers attackers to manage connections with the client-side applications, enabling them to orchestrate and manipulate infected machines remotely. The client-side, often unknowingly downloaded by victims through deceptive means like email attachments, acts as the conduit for granting malicious operators control over the victim’s system.

Quasar RAT’s arsenal of capabilities includes remote file manipulation, alteration of system registries, monitoring and recording victim actions, and establishing covert remote desktop connections. This trojan’s silent execution capability ensures it can run discreetly in the background, remaining active for extended periods to facilitate data theft and provide attackers with persistent control over compromised systems.

Delivery Methods

Quasar is propagated by cybercriminals through spam campaigns and various download pathways that raise concerns. Cybercriminals utilizing these spam campaigns send out emails containing attachments, banking on the recipients’ likelihood of opening them. Should these malicious attachments be accessed, they result in the unwelcome installation of harmful software.

Quasar RAT has been used by a wide range of threat actors, from individual cybercriminals to state-sponsored APT groups like APT10 (also known as Stone Panda, Cicada) and the Gaza Cybergang. It has been observed in campaigns targeting various sectors, including governments, defense, energy, finance, healthcare, and manufacturing, across different geographical regions.

Examples of commonly employed files to facilitate malware proliferation encompass Microsoft Office documents, PDF files, executable files, JavaScript files, and archived formats like ZIP and RAR, which can potentially harbor malicious content. Additionally, questionable download routes or third-party downloaders come into play as vehicles for malware dissemination.

Typically, these sources consist of unofficial downloaders or installers, unsanctioned websites, platforms offering free file hosting, pages offering freeware downloads, Peer-to-Peer networks such as torrent clients and eMule, along with akin platforms. Opening files procured from these sources frequently culminates in the installation of malevolent software.

These uploaded files are carefully camouflaged to present themselves as harmless and credible. Deceptive techniques employed to lure individuals into installing rogue programs encompass counterfeit update tools, trojans, and unofficial software “activation” tools. These bogus update tools assume the guise of legitimate software updaters, while their actual function is to initiate the download and installation of other malicious programs.

Impact

With Quasar RAT, cybercriminals can access and control Task Manager, Registry Editor, download/upload and execute files, log keystrokes, steal passwords, and gain unauthorized access to personal and important accounts. The risks of Quasar RAT infection include unauthorized access to personal and financial information, loss of data, compromise of important accounts, installation of additional malware, and potential damage to the computer system.

A Sample of IoCs

TTPs