Authors: Darren McCutchen, Jeeth Mathai, Manoj Pilli
Background:
QuasarRAT is an open-source .NET remote administration tool. Although originally created for legitimate functions (ex: remotely troubleshooting a corporate laptop), it has been adopted by several APT actors for malicious purposes. Currently on stable release version 1.4.0 (released June 2020), Quasar was initially released as xRAT in 2014. Since then, malicious actors have leveraged both the official versions and slightly modified versions of the tool in campaigns targeting government and industry. There are several distribution methods for QuasarRAT—it is most commonly spread via malspam, and there are additional examples of threat actors dropping Quasar by exploiting publicly disclosed vulnerabilities and packing the malware as a secondary payload post-initial compromise.
QuasarRAT operates in a client-server model(i). Once a host becomes infected, the "attacker" controls all its connected clients from Quasar's GUI. The malware is relatively small and lightweight, but does pack quite a punch and comes equipped with a number of features(ii) , including but not limited to:
There are several remote access trojans that are either direct copies or slightly modified versions of Quasar (many of these will have the entirety of the Quasar source code in its own code base)--AsyncRAT, Void-RAT, XPCTRA, Golden Edition, and CinaRAT are all examples of Quasar variants that have been used in real-world attacks(iii).
Quasar RAT in the News:
NetWitness Analysis:
The FirstWatch threat lab was used to run several different samples of QuasarRAT. To get the most comprehensive view of QuasarRAT, we ran test using the publicly available Quasar v1.4.0 as well as executing several known QuasarRAT malware samples. These samples included Windows executables, macro-enabled Excel files, and a PowerShell script.
In both the official Quasar and malicious Quasar examples, the first activity seen was to check the public IP address of the host machine by making an HTTP request to an IP checker website. All tests reached out to either api.ipify.org or ip-api.com (other documented samples also saw HTTP traffic to freegeoip.net), with User-Agent string “Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0”.
Figure 1 - QuasarRAT performing external IP address lookup
Persistence:
QuasarRAT v1.4.0 can achieve persistence in two ways. If running with normal system privileges, the malware will add a registry value to Run registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run. In environments where Quasar has achieved administrator privileges, it will create a scheduled task.
For our executable malware samples, once executed on our target system (administrator privileges were used to execute), Quasar creates a scheduled task to maintain persistence. This scheduled task command uses the same template once the malware is detonated:
schtasks /create /tn "[task name]" /sc ONLOGON /tr "[path where Quasar file is located]" /rl HIGHEST /f
The task names seen during testing would imitate legitimate sounding files (ex: "Java Update", "Cryptic0 Client", "Quasar Client Startup"). Based on the syntax of the scheduled task command, the malware ensures that it will run with highest privileges on the victim system after user logon and hide any errors related to task creation.
Figure 2 - QuasarRAT scheduled task for persistence
Payload Delivery:
The Quasar v1.4.0 Client Builder only allows the client to be placed in one of three directories: Program Files, Windows\SysWOW64, and %AppDATA%(i). The malicious versions of Quasar analyzed target %AppData% as the preferred folder since it is the only one that does not require administrator privileges. QuasarRAT will drop a copy of itself (in most executed samples, the QuasarRAT payload was renamed prior to getting dropped) to %AppData% and will re-run the scheduled task command for the file in the %AppData% directory. Many of the samples placed Quasar in the default configuration location C:\Users\[user]\AppData\Roaming\SubDir.
Figure 3 - QuasarRAT client install (Client.exe in this example) to default target directory
NetWitness Detections:
During detonation of sample files, there were several pieces of existing NetWitness content that repeatedly showed up. The most common of these were:
In addition to the existing content, we have also created new rules to better detect host and network activity related to QuasarRAT. All the following are currently available from NetWitness Live:
MITRE ATT&CK Techniques:
T1059.003 - Command and Scripting Interpreter: Windows Command Shell
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1053.005 - Scheduled Task/Job: Scheduled Task
T1564.001 - Hide Artifacts: Hidden Files and Directories
T1543.003 - Create or Modify System Process: Windows Service
T1027.002 - Obfuscated Files or Information: Software Packing
T1036 - Masquerading
T1070.004 - Indicator Removal on Host: File Deletion
T1055.012 - Process Injection: Process Hollowing
T1012 - Query Registry
T1095 - Standard Non-Application Layer Protocol
T1016 - System Location Discovery
References:
(i) https://www.cisa.gov/uscert/ncas/analysis-reports/AR18-352A
(ii) https://github.com/quasar/Quasar
(iii) https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html#7
(iv) https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord
(v) https://blog.morphisec.com/syk-crypter-discord
(vi) https://cycraft.com/ja/operation-cache-panda/
(vii) https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.