Quasar RAT

Quasar is a very popular RAT in the world thanks to its code being available in the open-source. This malware can be used to remotely control the victim’s computer.

Type
Trojan
Origin
Unknown
First seen
1 January, 2015
Last seen
17 April, 2021
Global rank
13
Week rank
11
Month rank
12
IOCs
5054

What is Quasar RAT?

Quasar is a remote access trojan is used by the attackers to take remote control of infected machines. It is written using the .NET programming language and available to a wide public as an open-source project, making it a popular RAT that was featured in a number of attacks.

General description of Quasar RAT

Quasar RAT was first discovered in 2015 by security researchers, who, at the time, speculated that this RAT was written by an in-house development team after performing the analysis of a sample. Quasar is an evolution of an older malware called xRAT and some of its samples can carry out as much as 16 malicious actions.

Over the course of its lifetime, the malware has been updated several times, improving its overall functionality. The last version of the malware which was developed by the original author is v. 1.3.0.0. It was released in 2016. Since that time several third parties have adapted the RAT and issued their own version, both minor and major with the last major version being v. 2.0.0.1.

The RAT we are reviewing today consists of two main components – the server-side component and the client-side component. The server is equipped with a graphical user interface and it is used for managing connections with the client-side programs. The server-side component is also utilized to build malware samples which are eventually delivered to potential victims. Malware user has an option to select attributes and customize the executable to fit the needs of the attacker.

The functionality of the resulting malware includes remote file management on the infected machine, registry alterations, recording the actions of the victim, establishing remote desktop connections and more.

It should be noted that Quasar execution can unfold completely silently, thus, once the victim downloads and launches the client, usually delivered in a document via email, it can stay active for a long period of time, stealing data and giving the hacker control over the infected PC. The malware does generate a process that can be discovered using the Windows Task Manager or a similar application, but active user actions are required to discover Quasar trojan presence on a machine.

As far as creators of this malware are concerned, the group of people or a person behind the original version of this malware managed to remain anonymous. The little known information that we do have does not go beyond the name of the GitHub page author which states simply “quasar”.

As evident from the description on the “official” Quasar GitHub page, this malware is presented as a legitimate remote administration program, which is clearly misleading. In fact, Quasar was featured in an attack aimed at the US government early in 2017. Later the same year another wave of attacks using this malware occurred, this time targeting the private sector.

Quasar RAT malware analysis

The execution process of this malware can be viewed in a video recorded in the ANY.RUN malware hunting service, allowing to take a look at how the contamination process unfolds.

process graph of the quasar stealer execution Figure 1: Displays the lifecycle of Quasar in a visual form, as shown on the graph generated by ANY.RUN.

text report of quasar analysis Figure 2: Shows a customizable text report generated by the ANY.RUN malware hunting service.

Quasar RAT execution process

Quasar execution is pretty straightforward but can vary in minor details from sample to sample. In a given example, Quasar was dropped from a Microsoft Office file. The dropped file changed the registry value to make itself run with every operating system start, checked for external IP and also copied itself at another location. After all these steps, the malware started the main malicious activity - collecting information about the operating system and waiting for commands from the C2 server.

How to avoid infection by Quasar?

Quasar trojan writes itself into scheduled tasks and uses registry keys to achieve persistence, allowing the malware the run every time a machine is started. The persistence method is chosen based on user privileges. As such, if the user has admin rights, the malware uses schtasks to create a scheduled task which launches after a user logs on with the highest run level. If admin rights are lacking, then the scheduled task can only go as far as to add a registry value which is configured in the client builder and added to the current path as the startup program.

Distribution of Quasar RAT

Just as most of the other RATs, Quasar is distributed in email spam campaigns that carry the malware’s loader. The loader is embedded in a malicious file attachment which usually carries a name designed to trick the user into thinking that he or she is receiving some sort of a document. Sometimes these files will have a double extension such as docx.exe. This is done to trick the victim into thinking that the attached file is harmless. Of course, once opened, such files start a command prompt rather than Microsoft Office.

How to detect Quasar RAT using ANY.RUN?

ANY.RUN uses Suricata IDS rule sets so if malware trying to communicate with C&C servers it will be detected. To look at what threats were detected just click on the "Threats" section of the "Network" tab.

quasar network threats Figure 3: Quasar network threats

Conclusion

Quasar trojan is a powerful open-source malware equipped with a robust persistence mechanism and a complete feature set of malicious capabilities. Being available to anybody with programming knowledge, Quasar became a widely used RAT which was even featured in an attack targeted at the American government.

However, unlike other more advanced Trojans, Quasar RAT does not have extremely sophisticated anti-analysis features, which makes setting up robust cyber-defense an easier task, especially when using malware hunting services like ANY.RUN to simplify and streamline the research process.

IOCs

IP addresses
208.95.112.1
18.156.13.209
3.124.142.205
18.158.249.75
167.71.56.116
79.134.225.73
3.132.159.158
3.142.167.4
52.14.18.129
3.22.53.161
13.59.15.185
13.59.15.185
3.128.107.74
3.13.191.225
3.22.30.40
193.161.193.99
3.17.7.232
3.14.182.203
3.136.65.236
3.134.39.220
Hashes
8c48aa5aaa8e4942165f66e2c0e655c3e66d0b536e83e25108e5233432b2484d
5d4d15281a025069e2583cae4e13fe9dff728f1682335e905ae4d3d5641b15d7
bec9590504aada8dec92cf13dd5562ffe6d25a058d98523d9e9cd617e00b9e1b
67ee65322846649f0b69dd924ddcab84f80e926096f6072d222e0b8d32018c68
28927fe0d3c4e2fbe8ad4a3d6294b355911e2d97cc0a90771e0dc3b4551a280c
fbb38ea3e8e4a943c343589ee2513486b479f08d0fa30a8ea3385a7b65551db5
c5395fadd12cbe3367ef8e2cf1688b56ef4fb5c0d2b7b8b68c55aa8319f53347
7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
80cd3e7963ef9bcd7db0efb5f1ad057313de7d5d714863e3fbaf25c4f101de42
f2268ce58478902b1e9bd2e3d24ad0a57ee8559ac2612a4a95c15a5b861645e8
8f7ad239813a0a2c58be5020d11c2bc924572fb86877f8ad1ed0b2a3def233fa
4709c373f7202f96ee824ac73ef850de64f8c65d9877c0f083b59c407cd5fef9
52a64b280854dd575927f53895108ab6063c9ba8a32157ad3ff2eeae485c4f20
996486c3cee7de092851b64bb1d485fcd3d9f0840d3cb0144d71eb440f786b9e
280c20e0f963e637e393641127fb8c0ea6a8eddec2ec190b399002dae9bf7e9e
d7a673bfc5ae5dd98ccdc2bfec267a59538dd6f306fd69710af2e9ac6d41255a
fbc7dee3973b36973bf171510cec4648720f16f5cb95bce2f18dd7936e50c558
c3ee6b25808d756f716edb9cd4455334de1e82f668d9269f43a2bcff7cc55059
1fa317b9977f8ce780c1bb39567347d233f87646997f55fd6de16c306fbd44e1
1a2afe47a8f33065790e4db59e44e6df8c1ed94ce539e602a3c4c96f23c6f7c5
Domains
2.tcp.eu.ngrok.io
yatzufn.ddns.net
WindowsAuthentication324-49629.portmap.host
0.tcp.eu.ngrok.io
majul.com
8.tcp.ngrok.io
sv88.com
www.555sports.com
555sports.com
push.555sports.com
blog.give.net
www.give.net
blog.clickgum.com
www.blog.clickgum.com
ads.sesaab.it
www.freegeoip.net
6.tcp.ngrok.io
unruffled-wood-00139.pktriot.net
eu-central-7075.packetriot.net
babbyhouse90.duckdns.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More