NetWitness Community

DarrenMccutchen · ‎2022-08-17

Authors: Darren McCutchen, Jeeth Mathai, Manoj Pilli

Background:

QuasarRAT is an open-source .NET remote administration tool. Although originally created for legitimate functions (ex: remotely troubleshooting a corporate laptop), it has been adopted by several APT actors for malicious purposes. Currently on stable release version 1.4.0 (released June 2020), Quasar was initially released as xRAT in 2014. Since then, malicious actors have leveraged both the official versions and slightly modified versions of the tool in campaigns targeting government and industry. There are several distribution methods for QuasarRAT—it is most commonly spread via malspam, and there are additional examples of threat actors dropping Quasar by exploiting publicly disclosed vulnerabilities and packing the malware as a secondary payload post-initial compromise.

QuasarRAT operates in a client-server model(i). Once a host becomes infected, the "attacker" controls all its connected clients from Quasar's GUI. The malware is relatively small and lightweight, but does pack quite a punch and comes equipped with a number of features(ii) , including but not limited to:

Encrypted C2 communication
Ability to capture passwords from most web browsers and Windows password stores
Keylogger
Ability to query system information
File and task management (file read/write/delete | task creation/kill)
Screen capture (Screenshots and Video Record)
Remote Desktop connectivity
Remote shell and remote command execution
Registry and Startup folder Editing

There are several remote access trojans that are either direct copies or slightly modified versions of Quasar (many of these will have the entirety of the Quasar source code in its own code base)--AsyncRAT, Void-RAT, XPCTRA, Golden Edition, and CinaRAT are all examples of Quasar variants that have been used in real-world attacks(iii).

Quasar RAT in the News:

Threat actors began using PureCrypter, a crypting software for obfuscation/encryption of binaries, to create malicious Microsoft Intermediate Language (MSIL) stubs for delivery of several .NET-based malwares including QuasarRAT(iv).
A new attack pattern was discovered by Morphisec wherein Discord's Content Delivery Network (CDN) is abused to download a .NET loader and crypter which delivers a QuasarRAT payload(v).
In an attack attributed to APT10 dubbed “Operation Cache Panda”, QuasarRAT was reflectively loaded on vulnerable Taiwanese financial sector systems giving attackers persistence on victim networks via RDP reverse tunnels(vi).
With Microsoft beginning to block macros by default, there has been an increase in the use of ISO Files to deliver QuasarRAT(vii).
QuasarRAT was one of many remote access trojans used by APT group Earth Berberoka in attacks against gambling websites(viii).

NetWitness Analysis:

The FirstWatch threat lab was used to run several different samples of QuasarRAT. To get the most comprehensive view of QuasarRAT, we ran test using the publicly available Quasar v1.4.0 as well as executing several known QuasarRAT malware samples. These samples included Windows executables, macro-enabled Excel files, and a PowerShell script.

In both the official Quasar and malicious Quasar examples, the first activity seen was to check the public IP address of the host machine by making an HTTP request to an IP checker website. All tests reached out to either api.ipify.org or ip-api.com (other documented samples also saw HTTP traffic to freegeoip.net), with User-Agent string “Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0”.

Figure 1 - QuasarRAT performing external IP address lookup

Persistence:

QuasarRAT v1.4.0 can achieve persistence in two ways. If running with normal system privileges, the malware will add a registry value to Run registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run. In environments where Quasar has achieved administrator privileges, it will create a scheduled task.

For our executable malware samples, once executed on our target system (administrator privileges were used to execute), Quasar creates a scheduled task to maintain persistence. This scheduled task command uses the same template once the malware is detonated:

schtasks /create /tn "[task name]" /sc ONLOGON /tr "[path where Quasar file is located]" /rl HIGHEST /f

The task names seen during testing would imitate legitimate sounding files (ex: "Java Update", "Cryptic0 Client", "Quasar Client Startup"). Based on the syntax of the scheduled task command, the malware ensures that it will run with highest privileges on the victim system after user logon and hide any errors related to task creation.

Figure 2 - QuasarRAT scheduled task for persistence

Payload Delivery:

The Quasar v1.4.0 Client Builder only allows the client to be placed in one of three directories: Program Files, Windows\SysWOW64, and %AppDATA%(i). The malicious versions of Quasar analyzed target %AppData% as the preferred folder since it is the only one that does not require administrator privileges. QuasarRAT will drop a copy of itself (in most executed samples, the QuasarRAT payload was renamed prior to getting dropped) to %AppData% and will re-run the scheduled task command for the file in the %AppData% directory. Many of the samples placed Quasar in the default configuration location C:\Users\[user]\AppData\Roaming\SubDir.

Figure 3 - QuasarRAT client install (Client.exe in this example) to default target directory

NetWitness Detections:

During detonation of sample files, there were several pieces of existing NetWitness content that repeatedly showed up. The most common of these were:

boc = ‘unsigned writes executable to appdataroaming directory’
boc = ‘outbound from unsigned appdata directory’
boc = ‘creates local task’
boc = ‘runkey persistence’
analysis.file = 'modifies registry using command-line registry tool'

In addition to the existing content, we have also created new rules to better detect host and network activity related to QuasarRAT. All the following are currently available from NetWitness Live:

Quasar RAT Default Payload Location – Alerts on files being written to the default Quasar Client Builder target directory. (NetWitness EDR)
Quasar RAT Default Persistence – Alerts on both privileged and non-privileged Quasar RAT activity to achieve persistence. (NetWitness EDR)
Quasar RAT Default SSL Certificate – Detects the usage of the default Quasar RAT digital certificate. (NetWitness EDR/NDR)
Quasar RAT Client Public IP Check – Detects the initial HTTP requests from Quasar RAT payload to its preferred external IP check websites. (NetWitness NDR)
Host Traffic to External IP Checker – This rule looks for any outbound traffic to four IP checker sites used by malware. This rule on its own does not indicate something malicious is happening, however it can be a data point for further investigation and threat hunting exercises. (NetWitness EDR/LDR/NDR)