Quasar RAT

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

Type
Trojan
Origin
Unknown
First seen
1 January, 2015
Last seen
27 January, 2023
Global rank
12
Week rank
10
Month rank
10
IOCs
9656

What is Quasar RAT?

Quasar is a remote access trojan is used by attackers to take remote control of infected machines. It is written using the .NET programming language and is available to a wide public as an open-source project for Microsoft Windows operating systems, making it a popular RAT featured in many attacks.

General description of Quasar RAT

Quasar RAT was first discovered in 2015 by security researchers, who, at the time, speculated that an in-house development team wrote this RAT after performing the analysis of a sample. However, Quasar is an evolution of an older malware called xRAT, and some of its samples can carry out as many as 16 malicious actions.

Over the course of its lifetime, the malware has been updated several times, improving its overall functionality. The last version of the malware, which the original author developed, is v. 1.3.0.0. It was released in 2016. Since then, several third parties have adapted the RAT and issued their own version, both minor and major, with the last major version being v. 2.0.0.1.

The RAT we are reviewing today consists of two main components – the server-side component and the Quasar client-side component. The server is equipped with a graphical user interface, and it is used for managing connections with the client-side programs. The Quasar client-server architecture is also utilized to build malware samples which are eventually delivered to potential victims. Malware users can select attributes and customize the executable to fit the attacker's needs. The Quasar client and server run on different OSs including all Windows versions.

The functionality of the resulting malware includes remote file management on the infected machine, registry alterations, recording the actions of the victim, establishing remote desktop connections, and more. All of the data including requests are sent to the host server with the user-agent strings.

It should be noted that Quasar's execution can unfold completely silently. Thus, once the victim downloads and launches the Quasar client, usually delivered in a document via email, it can stay active for a long period of time, stealing data and giving the hacker control over the infected PC. The malware does generate a process that can be discovered using the Windows Task Manager or a similar application, but active user actions are required to discover Quasar trojan's presence on a machine.

As far as creators of this malware are concerned, the group of people or a person behind the original version of this malware managed to remain anonymous. As a result, the little-known information that we do have does not go beyond the name of the GitHub page author, which states “quasar.”

As evident from the description on the “official” Quasar GitHub page, this malware is presented as a legitimate remote administration program, which is clearly misleading. In fact, Quasar was featured in an attack aimed at the US government early in 2017. Later the same year, another wave of attacks using this malware occurred, targeting the private sector.

Quasar RAT malware analysis

The execution process of this malware can be viewed in a video recorded in the ANY.RUN malware hunting service, allowing to perform analysis of how the contamination process unfolds.

process graph of the quasar stealer execution Figure 1: Displays the lifecycle of Quasar in a visual form, as shown on the graph generated by ANY.RUN.

text report of quasar analysis Figure 2: Shows a customizable text report generated by the ANY.RUN malware hunting service.

Quasar RAT execution process

Based on the analysis, Quasar execution is pretty straightforward but can vary in minor details from sample to sample. The RAT's user-agent strings fake various processes such as a browser running on Windows. In the given example, Quasar was dropped from a Microsoft Office file. Then, the dropped file changed the registry value to run with every operating system start, checked for external IP, and copied itself at another location. After all these steps, the malware started the main malicious activity - collecting information about the operating system and waiting for commands from the C2 server. Quasar allows malware users to collect host system data.

How to avoid infection by Quasar?

Quasar trojan writes itself into scheduled tasks and uses registry keys to achieve persistence, allowing the malware the run every time a machine is started. The persistence method is chosen based on user privileges. If the user has admin rights, the malware uses schtasks to create a scheduled task that launches after a user logs on with the highest run level. If admin rights are lacking, then the scheduled task can only go as far as adding a registry value configured in the client builder and added to the current path as the startup program. The best way to avoid infection is for cybersecurity specialists gt to know various user-agent strings that exist in their network, and identify suspicious user-agent strings.

Distribution of Quasar RAT

Like most other RATs, for example Crimson RAT or Orcus RAT, Quasar is distributed in email spam campaigns that carry the malware’s loader. The loader is embedded in a malicious file attachment which usually carries a name designed to trick the user into thinking that they are receiving some sort of a document. Sometimes these files will have a double extension such as docx.exe. Again, this is done to trick the victim into thinking that the attached file is harmless. Of course, once opened, such files start a command prompt rather than Microsoft Office.

How to detect Quasar RAT using ANY.RUN?

ANY.RUN uses Suricata IDS rule sets, so if malware tries to communicate with C&C servers, it will be detected. To look at what threats were detected, just click on the "Threats" section of the "Network" tab.

quasar network threats Figure 3: Quasar network threats

Conclusion

Quasar trojan is a powerful open-source malware equipped with a robust persistence mechanism and a complete feature set of malicious capabilities. Being available to anybody with programming knowledge, Quasar became a widely used RAT which was even featured in an attack targeted at the American government.

However, unlike other more advanced Trojans, Quasar RAT does not have extremely sophisticated anti-analysis features, which makes setting up robust cyber-defense an easier task, especially when using malware hunting services like ANY.RUN to simplify and streamline the research process.

IOCs

IP addresses
109.206.241.81
79.134.225.95
212.192.246.234
70.70.19.220
14.165.49.117
87.66.106.20
109.230.238.142
185.65.135.178
141.255.146.88
104.245.145.246
64.251.27.103
5.2.67.66
146.70.117.75
79.118.153.160
154.221.22.25
78.173.187.50
50.104.83.125
85.215.169.162
89.46.100.217
92.15.146.110
Hashes
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb
70ba57fb0bf2f34b86426d21559f5f6d05c1268193904de8e959d7b06ce964ce
f6da1be0baba3d19d7e2a11dc659d4fa98533354fbd4799dc7e3fc38b4cb7420
c2a913bb9edec53b5dfb4fae3b9848a184c42a102b071f2017a20873c7db93c3
7a845c7bcfd781b09e0da20118f2e396152fc3aae1e77113c8d3adab45077647
77a97231baae46313b4bae33035dea60f0a69967a14a2d8273346dd7f6b7cf6a
a63668d5deb814c88a2f4509b7427263b21f2682bcc0b9fd6a9a756ca0fa2670
0ec0098ae7a25b0e7d0d0126473b7c4e1eb45b57767829534c98d23865eff8c2
0e605b21230a7fda50f970a5cc9dde223854a75d9d5e5f2a33963f84810f2490
ef012e22ef53045f48b574b395788c8639f853484bd78f4c9ad63532d916c1f9
5c7f7421a9fb20c239d177c281c0fb19a59eaef3d4648fccace45e61143fb012
32eb0a68a3df821ec8ae2c9416ae7694db5c14961cc333a46a677477cfc598dd
2aab841a9aae669196de52e0d4bdca0d6ffaff8519e9f4b8df47abfe0d9e38a8
8256e1c6f878925e5d5d5673d0e6547aa37f16510f27d6401a6ea033f4c9764f
32b54e11da1f1e3ffb56cc0fc37389a253b6db8c8efcb7866740bcc612431661
978d81b61bd4eabf7e0707b544f491f024a6d20411999f79c0da977456764c87
5fe5f46e140b80bd94c224ee21532575c4adf525ec34b2c13436c64bbdb62595
37d36fa931558c5d8c9b60cbe56fe8d2548d8fb6545a112b81ed5326d4b9c8b9
67440a36c78efa20ac75405351b67070b85844b4369e4bc489953b0f1aa1ea91
7fe99ef31eea4b782b70873523f7735757b51e6ed9e1841364066764883786cb
Domains
isns.net
pluto.iziis.ukim.edu.mk
bam.nr-data.net.cdn.cloudflare.net
vcctggqm3t.dattolocal.net
scambaiting2022.ddns.net
booking.msg.bluhotels.com
booking.msg.bluhotels.com
wsgeoip.pdfescape.com
ghcc.duckdns.org
searchkn1.sima-land.ru
2.tcp.eu.ngrok.io
c16d-35-240-187-111.ngrok.io
frederikkempe.com
majul.com
matmat.aimultiple.com
research.aimultiple.com
cdn.aimultiple.com
aimultiple.com
testnet.toncenter.com
toncenter.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy