Quasar RAT

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

Type
Trojan
Origin
Unknown
First seen
1 January, 2015
Last seen
23 October, 2021
Global rank
14
Week rank
16
Month rank
16
IOCs
6197

What is Quasar RAT?

Quasar is a remote access trojan is used by attackers to take remote control of infected machines. It is written using the .NET programming language and is available to a wide public as an open-source project for Microsoft Windows operating systems, making it a popular RAT featured in many attacks.

General description of Quasar RAT

Quasar RAT was first discovered in 2015 by security researchers, who, at the time, speculated that an in-house development team wrote this RAT after performing the analysis of a sample. However, Quasar is an evolution of an older malware called xRAT, and some of its samples can carry out as many as 16 malicious actions.

Over the course of its lifetime, the malware has been updated several times, improving its overall functionality. The last version of the malware, which the original author developed, is v. 1.3.0.0. It was released in 2016. Since then, several third parties have adapted the RAT and issued their own version, both minor and major, with the last major version being v. 2.0.0.1.

The RAT we are reviewing today consists of two main components – the server-side component and the Quasar client-side component. The server is equipped with a graphical user interface, and it is used for managing connections with the client-side programs. The Quasar client-server architecture is also utilized to build malware samples which are eventually delivered to potential victims. Malware users can select attributes and customize the executable to fit the attacker's needs. The Quasar client and server run on different OSs including all Windows versions.

The functionality of the resulting malware includes remote file management on the infected machine, registry alterations, recording the actions of the victim, establishing remote desktop connections, and more. All of the data including requests are sent to the host server with the user-agent strings.

It should be noted that Quasar's execution can unfold completely silently. Thus, once the victim downloads and launches the Quasar client, usually delivered in a document via email, it can stay active for a long period of time, stealing data and giving the hacker control over the infected PC. The malware does generate a process that can be discovered using the Windows Task Manager or a similar application, but active user actions are required to discover Quasar trojan's presence on a machine.

As far as creators of this malware are concerned, the group of people or a person behind the original version of this malware managed to remain anonymous. As a result, the little-known information that we do have does not go beyond the name of the GitHub page author, which states “quasar.”

As evident from the description on the “official” Quasar GitHub page, this malware is presented as a legitimate remote administration program, which is clearly misleading. In fact, Quasar was featured in an attack aimed at the US government early in 2017. Later the same year, another wave of attacks using this malware occurred, targeting the private sector.

Quasar RAT malware analysis

The execution process of this malware can be viewed in a video recorded in the ANY.RUN malware hunting service, allowing to perform analysis of how the contamination process unfolds.

process graph of the quasar stealer execution Figure 1: Displays the lifecycle of Quasar in a visual form, as shown on the graph generated by ANY.RUN.

text report of quasar analysis Figure 2: Shows a customizable text report generated by the ANY.RUN malware hunting service.

Quasar RAT execution process

Based on the analysis, Quasar execution is pretty straightforward but can vary in minor details from sample to sample. The RAT's user-agent strings fake various processes such as a browser running on Windows. In the given example, Quasar was dropped from a Microsoft Office file. Then, the dropped file changed the registry value to run with every operating system start, checked for external IP, and copied itself at another location. The RAT allows After all these steps, the malware started the main malicious activity - collecting information about the operating system and waiting for commands from the C2 server. Quasar allows malware users to collect host system data.

How to avoid infection by Quasar?

Quasar trojan writes itself into scheduled tasks and uses registry keys to achieve persistence, allowing the malware the run every time a machine is started. The persistence method is chosen based on user privileges. If the user has admin rights, the malware uses schtasks to create a scheduled task that launches after a user logs on with the highest run level. If admin rights are lacking, then the scheduled task can only go as far as adding a registry value configured in the client builder and added to the current path as the startup program. The best way to avoid infection is for cybersecurity specialists gt to know various user-agent strings that exist in their network, and identify suspicious user-agent strings.

Distribution of Quasar RAT

Like most other RATs, Quasar is distributed in email spam campaigns that carry the malware’s loader. The loader is embedded in a malicious file attachment which usually carries a name designed to trick the user into thinking that they are receiving some sort of a document. Sometimes these files will have a double extension such as docx.exe. Again, this is done to trick the victim into thinking that the attached file is harmless. Of course, once opened, such files start a command prompt rather than Microsoft Office.

How to detect Quasar RAT using ANY.RUN?

ANY.RUN uses Suricata IDS rule sets, so if malware trying to communicate with C&C servers, it will be detected. To look at what threats were detected, just click on the "Threats" section of the "Network" tab.

quasar network threats Figure 3: Quasar network threats

Conclusion

Quasar trojan is a powerful open-source malware equipped with a robust persistence mechanism and a complete feature set of malicious capabilities. Being available to anybody with programming knowledge, Quasar became a widely used RAT which was even featured in an attack targeted at the American government.

However, unlike other more advanced Trojans, Quasar RAT does not have extremely sophisticated anti-analysis features, which makes setting up robust cyber-defense an easier task, especially when using malware hunting services like ANY.RUN to simplify and streamline the research process.

IOCs

IP addresses
208.95.112.1
3.134.39.220
172.67.75.176
88.198.193.213
157.240.9.35
104.248.133.59
3.22.30.40
3.134.125.175
3.13.191.225
3.142.167.54
3.142.167.4
13.59.15.185
13.59.15.185
3.142.129.56
3.22.53.161
3.138.45.170
52.14.18.129
3.129.187.220
3.133.207.110
3.14.182.203
Hashes
2eab605cde4547213fa115b74f72b6bddedb52b60bab2fc8493c4f12036a7a8b
9842f065397eb456a833776a4250d474b609a764f3d7908a05cdcbba32e2acc2
be26fec4608bc74d465044b7887533d88d9ef76d2395f3bde5a05923846ed422
f0db5b5848ab992dcd87d6c9b74e3b1cd19789b9172e6f7b4f75596b3fd4c3f9
a8cb114817d1fee2fd5ba713dca55af965ed82940d6902da5f14562bf3e2c8e5
70748434859a5684a2fdf0e9012c995eb5ce0aecec6c9f5d0d274138babc25c3
110a67cfd9b84bc1babb8e925716a128cb4bc866b98b20433e7c56210d87e63b
deef27aa8b25adb2b35487bd51de0bddf8fb6cd4d11a722a7a442b44ad716434
fe49ac6bd99d0de035040ec1557b3eebda5f5457727d08d0acca3246317936ac
00c61262dc3f2dba18897ac52e6d9e748a5453485292d578c60a5d4e5d04f3d1
762d9f4ee28d63113ba08b9ed71b1e5d41130024f0cb0c6cde0782231250d94b
57d232a7ac403bd7e30412198520fc951f9e102337fe195efdd10954970b0432
aa0a18dad402f0cfbd776899ece4ec642f451f8ad0ae5a5faa0682bf1ca21930
96cb6f831db85e4265e2b8bba1cab032e8a96c3d618ff11d2189eaa6903ea760
f6209f6f76a99dc441c32ce392b24171ba49e207d5718e1e43ed4b0ef5dcc6f9
1b26291103fea122ca388cd7f6ef2426dc94f9c73729d5c31c52f2d1191a60a0
9141fe7e4638ee04ca20430cc735fb57813d3747972b588e1aed902f2257f720
9d6222369f6a9d1b770e623e766c4bd67e5ab3b28332fba00cf84822e2f59917
a4c1eb613f0d180ffd0c0320846570a73408c0a4c327281195887a3ef8471615
c3d5b6fa623d99d1d1df1c1166889c72da3e103b59e57fcd48d61b4eba7f053b
Domains
93809e70c1fa.ngrok.io
8ef628b4602c.ngrok.io
ebc79a7f69ed.ngrok.io
cf8b04045d7a.ngrok.io
3a47ff971faf.ngrok.io
30fdb4c296af.ngrok.io
192913f09fa8.ngrok.io
bd66a884925b.ngrok.io
93d8e01c2593.ngrok.io
52e0ff58833f.ngrok.io
ce47174fc1d2.ngrok.io
9ea2ac777bb9.ngrok.io
4651479e198f.ngrok.io
6856dac09e83.ngrok.io
0b1a1cdfc942.ngrok.io
dcd888a14f6b.ngrok.io
c5040e5692cf.ngrok.io
e5d6f8fc0027.ngrok.io
1e23662c3b84.ngrok.io
jcole-lms.ngrok.io

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More