Quasar RAT

Quasar is a very popular RAT in the world thanks to its code being available in the open-source. This malware can be used to remotely control the victim’s computer.

Type
Trojan
Origin
Unknown
First seen
1 January, 2015
Last seen
18 February, 2020
Global rank
17
Week rank
13
Month rank
15
IOCs
646

What is Quasar RAT?

Quasar is a remote access trojan is used by the attackers to take remote control of infected machines. It is written using the .NET programming language and available to a wide public as an open-source project, making it a popular RAT that was featured in a number of attacks.

General description of Quasar RAT

Quasar RAT was first discovered in 2015 by security researchers, who, at the time, speculated that this RAT was written by an in-house development team after performing the analysis of a sample. Quasar is an evolution of an older malware called xRAT and some of its samples can carry out as much as 16 malicious actions.

Over the course of its lifetime, the malware has been updated several times, improving its overall functionality. The last version of the malware which was developed by the original author is v. 1.3.0.0. It was released in 2016. Since that time several third parties have adapted the RAT and issued their own version, both minor and major with the last major version being v. 2.0.0.1.

The RAT we are reviewing today consists of two main components – the server-side component and the client-side component. The server is equipped with a graphical user interface and it is used for managing connections with the client-side programs. The server-side component is also utilized to build malware samples which are eventually delivered to potential victims. Malware user has an option to select attributes and customize the executable to fit the needs of the attacker.

The functionality of the resulting malware includes remote file management on the infected machine, registry alterations, recording the actions of the victim, establishing remote desktop connections and more.

It should be noted that Quasar execution can unfold completely silently, thus, once the victim downloads and launches the client, usually delivered in a document via email, it can stay active for a long period of time, stealing data and giving the hacker control over the infected PC. The malware does generate a process which can be discovered using the Windows Task Manager or a similar application, but active user actions are required to discover Quasar trojan presence on a machine.

As far as creators of this malware are concerned, the group of people or a person behind the original version of this malware managed to remain anonymous. The little known information that we do have does not go beyond the name of the GitHub page author which states simply “quasar”.

As evident from the description on the “official” Quasar GitHub page, this malware is presented as a legitimate remote administration program, which is clearly misleading. In fact, Quasar was featured in an attack aimed at the US government early in 2017. Later the same year another wave of attacks using this malware occurred, this time targeting the private sector.

Quasar RAT malware analysis

The execution process of this malware can be viewed in a video recorded in the ANY.RUN malware hunting service, allowing to take a look at how the contamination process unfolds.

process graph of the quasar stealer execution Figure 1: Displays the lifecycle of Quasar in a visual form, as shown on the graph generated by ANY.RUN.

text report of quasar analysis Figure 2: Shows a customizable text report generated by the ANY.RUN malware hunting service.

Quasar RAT execution process

Quasar execution is pretty straightforward but can vary in minor details from sample to sample. In a given example, Quasar was dropped from a Microsoft Office file. The dropped file changed the registry value to make itself run with every operating system start, checked for external IP and also copied itself at another location. After all these steps, the malware started the main malicious activity - collecting information about the operating system and waiting for commands from the C2 server.

How to avoid infection by Quasar?

Quasar trojan writes itself into scheduled tasks and uses registry keys to achieve persistence, allowing the malware the run every time a machine is started. The persistence method is chosen based on user privileges. As such, if the user has admin rights, the malware uses schtasks to create a scheduled task which launches after a user logs on with the highest run level. If admin rights are lacking, then the scheduled task can only go as far as to add a registry value which is configured in the client builder and added to the current path as the startup program.

Distribution of Quasar RAT

Just as most of the other RATs, Quasar is distributed in email spam campaigns that carry the malware’s loader. The loader is embedded in a malicious file attachment which usually carries a name designed to trick the user into thinking that he or she is receiving some sort of a document. Sometimes these files will have a double extension such as docx.exe. This is done to trick the victim into thinking that the attached file is harmless. Of course, once opened, such files start a command prompt rather than Microsoft Office.

How to detect Quasar RAT using ANY.RUN?

ANY.RUN uses Suricata IDS rule sets so if malware trying to communicate with C&C servers it will be detected. To look at what threats were detected just click on the "Threats" section of the "Network" tab.

quasar network threats Figure 3: Quasar network threats

Conclusion

Quasar trojan is a powerful open-source malware equipped with a robust persistence mechanism and a complete feature set of malicious capabilities. Being available to anybody with programming knowledge, Quasar became a widely used RAT which was even featured in an attack targeted at the American government.

However, unlike other more advanced Trojans, Quasar RAT does not have extremely sophisticated anti-analysis features, which makes setting up robust cyber-defense an easier task, especially when using malware hunting services like ANY.RUN to simplify and streamline the research process.

IOCs

IP addresses
184.73.165.106
54.243.147.226
208.95.112.1
208.95.112.1
79.134.225.74
58.158.177.102
79.134.225.5
3.19.3.150
193.161.193.99
104.31.139.11
104.31.138.11
194.5.97.31
104.31.134.11
144.91.64.188
178.210.217.91
34.70.101.254
109.230.215.181
104.31.133.11
104.31.254.10
159.203.157.217
Hashes
782a6b364e20374d48951a2d0cdee006af1ee1eeff29f9cac9963c81e102960d
f12cbcf9721fe90d0cfdb20cdcf8c218ab0b7ae28f5ed2a302de7c99688b302e
e8d8bfcca79858706f1e6f60f5434a03c76ad688bff744a9a24c004a04743585
dc71781773cf0e9c273714c641b42c864d2cd56b50cd316e3cfcef586171eaf8
c5c879b11c30133dd6517ba67f6317ff13d11c0fdfd8929da35a86e95a9ec331
0007c994214b6cf6abb95be30daf33f0ab94da55e2f41a2d8a1288adc4549365
d58f712110e8dc7b50a11dbd78482d81cb5f0c2a94f26f28771dccc5358b1859
70bb4ba22e96fb18051c94105f1771ed9e745b0a3bf9a72297516fca33ec0cb3
cd061278bd9197430bee9307e27ffd15aa0de93b589f5ad66ae5bfbc415356d5
ec1f3c34893fcfb9688aeb0f3d429488bc38d2bbb728da077727ba0fd988b168
a17236a6dd7130c16354ba5c9709e91ec656507fb36f0000401b37b958a705eb
48462118a343d26602fdd685f6d33b5bf22a2d6aae9213428d0777301c5e43fb
c294c5446f3d409a0cd7326bf2b172fd8e7cc2e16faf57248e05759f4d0bd557
b2da7a2a623ed50ec44f57ef561bee2554b85ee162beb00df374027c434613e3
d690407f09864465764f770bc2bf1ed003ecf7c52a307aa171d78b0e408f6db5
9bc336dafabfd85569b96ab59cd083f5223a6450d44d0d49d901f960cbadb184
fb58f64aa1e94d7662c5bb9f087c6e59f4f2a169ab471b14b5e555587fb1d326
4cacf22fe5422dbe32408138c8edd90095386a1903cf28e9365aeebcbb9357c5
b32a83d89fe9b96f4988831028ff6660d0fbcb03d50b8c58bf5981f4767f2e00
d2d41bb72f3f11061603a3a6b12d4615edb8b85c074ad3f643b35b7305ed7bc3
Domains
isns.net
thuocnam.tk
majul.com
m-onetrading-jp.com
krupskaya.com
cdn.push.house
elx01.knas.systems
optibet.ladesk.com
demo.ip-api.com
www.freegeoip.net
elumadns.eluma101.com
qxq.ddns.net
bnow.duckdns.org
slimmy1.duckdns.org
tools4money1.duckdns.org
westernautoweb.duckdns.org
c22e7809.ngrok.io
2e7bb891.ngrok.io
e63f7674.ngrok.io
01f76126.ngrok.io

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More