Quasar RAT

Quasar is a very popular RAT in the world thanks to its code being available in the open-source. This malware can be used to remotely control the victim’s computer.

Type
Trojan
Origin
Unknown
First seen
1 January, 2015
Last seen
17 January, 2020
Global rank
17
Week rank
14
Month rank
15
IOCs
566

What is Quasar RAT?

Quasar is a remote access trojan is used by the attackers to take remote control of infected machines. It is written using the .NET programming language and available to a wide public as an open-source project, making it a popular RAT that was featured in a number of attacks.

General description of Quasar RAT

Quasar RAT was first discovered in 2015 by security researchers, who, at the time, speculated that this RAT was written by an in-house development team after performing the analysis of a sample. Quasar is an evolution of an older malware called xRAT and some of its samples can carry out as much as 16 malicious actions.

Over the course of its lifetime, the malware has been updated several times, improving its overall functionality. The last version of the malware which was developed by the original author is v. 1.3.0.0. It was released in 2016. Since that time several third parties have adapted the RAT and issued their own version, both minor and major with the last major version being v. 2.0.0.1.

The RAT we are reviewing today consists of two main components – the server-side component and the client-side component. The server is equipped with a graphical user interface and it is used for managing connections with the client-side programs. The server-side component is also utilized to build malware samples which are eventually delivered to potential victims. Malware user has an option to select attributes and customize the executable to fit the needs of the attacker.

The functionality of the resulting malware includes remote file management on the infected machine, registry alterations, recording the actions of the victim, establishing remote desktop connections and more.

It should be noted that Quasar execution can unfold completely silently, thus, once the victim downloads and launches the client, usually delivered in a document via email, it can stay active for a long period of time, stealing data and giving the hacker control over the infected PC. The malware does generate a process which can be discovered using the Windows Task Manager or a similar application, but active user actions are required to discover Quasar trojan presence on a machine.

As far as creators of this malware are concerned, the group of people or a person behind the original version of this malware managed to remain anonymous. The little known information that we do have does not go beyond the name of the GitHub page author which states simply “quasar”.

As evident from the description on the “official” Quasar GitHub page, this malware is presented as a legitimate remote administration program, which is clearly misleading. In fact, Quasar was featured in an attack aimed at the US government early in 2017. Later the same year another wave of attacks using this malware occurred, this time targeting the private sector.

Quasar RAT malware analysis

The execution process of this malware can be viewed in a video recorded in the ANY.RUN malware hunting service, allowing to take a look at how the contamination process unfolds.

process graph of the quasar stealer execution Figure 1: Displays the lifecycle of Quasar in a visual form, as shown on the graph generated by ANY.RUN.

text report of quasar analysis Figure 2: Shows a customizable text report generated by the ANY.RUN malware hunting service.

Quasar RAT execution process

Quasar execution is pretty straightforward but can vary in minor details from sample to sample. In a given example, Quasar was dropped from a Microsoft Office file. The dropped file changed the registry value to make itself run with every operating system start, checked for external IP and also copied itself at another location. After all these steps, the malware started the main malicious activity - collecting information about the operating system and waiting for commands from the C2 server.

How to avoid infection by Quasar?

Quasar trojan writes itself into scheduled tasks and uses registry keys to achieve persistence, allowing the malware the run every time a machine is started. The persistence method is chosen based on user privileges. As such, if the user has admin rights, the malware uses schtasks to create a scheduled task which launches after a user logs on with the highest run level. If admin rights are lacking, then the scheduled task can only go as far as to add a registry value which is configured in the client builder and added to the current path as the startup program.

Distribution of Quasar RAT

Just as most of the other RATs, Quasar is distributed in email spam campaigns that carry the malware’s loader. The loader is embedded in a malicious file attachment which usually carries a name designed to trick the user into thinking that he or she is receiving some sort of a document. Sometimes these files will have a double extension such as docx.exe. This is done to trick the victim into thinking that the attached file is harmless. Of course, once opened, such files start a command prompt rather than Microsoft Office.

How to detect Quasar RAT using ANY.RUN?

ANY.RUN uses Suricata IDS rule sets so if malware trying to communicate with C&C servers it will be detected. To look at what threats were detected just click on the "Threats" section of the "Network" tab.

quasar network threats Figure 3: Quasar network threats

Conclusion

Quasar trojan is a powerful open-source malware equipped with a robust persistence mechanism and a complete feature set of malicious capabilities. Being available to anybody with programming knowledge, Quasar became a widely used RAT which was even featured in an attack targeted at the American government.

However, unlike other more advanced Trojans, Quasar RAT does not have extremely sophisticated anti-analysis features, which makes setting up robust cyber-defense an easier task, especially when using malware hunting services like ANY.RUN to simplify and streamline the research process.

IOCs

IP addresses
208.95.112.1
208.95.112.1
50.19.218.16
79.134.225.74
162.200.139.146
104.31.138.11
184.73.165.106
104.31.139.11
193.161.193.99
104.31.132.11
104.31.133.11
54.243.147.226
3.19.3.150
104.31.134.11
79.134.225.5
194.5.97.31
23.23.229.94
206.189.182.212
104.31.76.103
150.107.76.125
Hashes
a388734bffa403ff1bc79c8145502e079925f72c5d8a89bbf27dc38414a9fd1c
efadd525e9d0cc666bb5327517dc132811f38fa2da1199b95b4d68922f8da068
3703abd411f9d00d23b3218d39265b49ec66e56f9b7a81117cb989b5c887eba0
62265ebaad234fb07a5487910f9f113aaba6a71e40addd6c2a56ae9266f98a39
aba2ab0abf6119cd7c0a6a2ffc87d6fd0cffe2b60706f5fd3de36c12f1722491
f481696c4c90550bbd86711d7c27632f90ee7d2fde6ec34b908b4deed3ebeb67
1f82c37117812e50114bba82b4f065e4a96bbe054097f1e298f76cc13c2038b2
35ce90948164235c5bc71e012d1d7aa8ee10fb393a4b1a30f64b5aafc6c20949
03bfc79d73518a1c0209587121204d7064239bf0bf93c1e9383c7cb42f035c90
3a0318f54c37ffa5f263f963ec23bb515ca30a4c63da8f6aff8bf4f48fb4bd04
d83937396afd26520f2492df691fbc67d675a739715b1d757adabac6d263f763
eb62965a865f0b958cfa57e47761c0e746eedb80434ed5b86761745c4b39a1dd
95ab73ab7d332d2ddbf088d619bc05ffa72935b65aef15e81a1d39893d121660
a46944ce86ca15ac8f52d666b512ddeee0196ee061af4a78e7cc0a847f0a6944
c960dc7aeadf52b354fac14ba3280106bce522479a0ea0daa16eaa92484882ea
c57333455fb74e05e7f0c038b5a05808493aefbb53e744336a88f747a44c5798
d78e01e256af6f6ba40f69cf2bb05d6e6304c0adf4afa0b8470c199af722fefa
d28c2cef8b1f4a6ca1d66bbbde39ff0eeea2ca8eca598eca522ba071dc620185
c6c9a9c65cc8a08acb11473d08ea337380dbc65e40534c1839b070b5ae9e1072
3da7389aefbdbdcc4c25a7bacb2440957b6aaf2159c9911db48c36fb2783b1a1
Domains
demo.ip-api.com
qxq.ddns.net
thuocnam.tk
majul.com
m-onetrading-jp.com
krupskaya.com
isns.net
feed.monad-rtb.com
bnow.duckdns.org
slimmy1.duckdns.org
tools4money1.duckdns.org
westernautoweb.duckdns.org
1338099.ddns.net
harryng2.ddns.net
stevesteves001.warzonedns.com
www.freegeoip.net
cdn.push.house
elx01.knas.systems
cloud.360cn.info
dns.chinanews.network

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More