Quasar

Quasar is a remote access trojan is used by the attackers to take remote control of infected machines. It is written using the .NET programming language and available to a wide public as an open-source project, making it a popular RAT that was featured in a number of attacks.

  • Type
    Trojan
  • Origin
    Unknown
  • First seen
    1 January, 2015
  • Last seen
    22 November, 2019
Global rank
17
Week rank
17
Month rank
21
IOCs
522

What is Quasar malware?

Quasar is a remote access trojan is used by the attackers to take remote control of infected machines. It is written using the .NET programming language and available to a wide public as an open-source project, making it a popular RAT that was featured in a number of attacks.

General description of Quasar

Quasar was first discovered in 2015 by security researchers, who, at the time, speculated that this RAT was written by an in-house development team after performing the analysis of a sample. Quasar is an evolution of an older malware called xRAT and some of its samples can carry out as much as 16 malicious actions.

Over the course of its lifetime, the malware has been updated several times, improving its overall functionality. The last version of the malware which was developed by the original author is v. 1.3.0.0. It was released in 2016. Since that time several third parties have adapted the RAT and issued their own version, both minor and major with the last major version being v. 2.0.0.1.

The RAT we are reviewing today consists of two main components – the server-side component and the client-side component. The server is equipped with a graphical user interface and it is used for managing connections with the client-side programs. The server-side component is also utilized to build malware samples which are eventually delivered to potential victims. Malware user has an option to select attributes and customize the executable to fit the needs of the attacker.

The functionality of the resulting malware includes remote file management on the infected machine, registry alterations, recording the actions of the victim, establishing remote desktop connections and more.

It should be noted that Quasar execution can unfold completely silently, thus, once the victim downloads and launches the client, usually delivered in a document via email, it can stay active for a long period of time, stealing data and giving the hacker control over the infected PC. The malware does generate a process which can be discovered using the Windows Task Manager or a similar application, but active user actions are required to discover Quasar presence on a machine.

As far as creators of this malware are concerned, the group of people or a person behind the original version of this malware managed to remain anonymous. The little known information that we do have does not go beyond the name of the GitHub page author which states simply “quasar”.

As evident from the description on the “official” Quasar GitHub page, this malware is presented as a legitimate remote administration program, which is clearly misleading. In fact, Quasar was featured in an attack aimed at the US government early in 2017. Later the same year another wave of attacks using this malware occurred, this time targeting the private sector.

Quasar malware analysis

The execution process of this malware can be viewed in a video recorded in the ANY.RUN malware hunting service, allowing to take a look at how the contamination process unfolds.

process graph of the quasar stealer execution Figure 1: Displays the lifecycle of Quasar in a visual form, as shown on the graph generated by ANY.RUN.

text report of quasar analysis Figure 2: Shows a customizable text report generated by the ANY.RUN malware hunting service.

Quasar execution process

Quasar execution is pretty straightforward but can vary in minor details from sample to sample. In a given example, Quasar was dropped from a Microsoft Office file. The dropped file changed the registry value to make itself run with every operating system start, checked for external IP and also copied itself at another location. After all these steps, the malware started the main malicious activity - collecting information about the operating system and waiting for commands from the C2 server.

How to avoid infection by Quasar?

Quasar writes itself into scheduled tasks and uses registry keys to achieve persistence, allowing the malware the run every time a machine is started. The persistence method is chosen based on user privileges. As such, if the user has admin rights, the malware uses schtasks to create a scheduled task which launches after a user logs on with the highest run level. If admin rights are lacking, then the scheduled task can only go as far as to add a registry value which is configured in the client builder and added to the current path as the startup program.

Distribution of Quasar

Just as most of the other RATs, Quasar is distributed in email spam campaigns that carry the malware’s loader. The loader is embedded in a malicious file attachment which usually carries a name designed to trick the user into thinking that he or she is receiving some sort of a document. Sometimes these files will have a double extension such as docx.exe. This is done to trick the victim into thinking that the attached file is harmless. Of course, once opened, such files start a command prompt rather than Microsoft Office.

How to detect Quasar using ANY.RUN?

ANY.RUN uses Suricata IDS rule sets so if malware trying to communicate with C&C servers it will be detected. To look at what threats were detected just click on the "Threats" section of the "Network" tab.

quasar network threats Figure 3: Quasar network threats

Conclusion

Quasar is a powerful open-source malware equipped with a robust persistence mechanism and a complete feature set of malicious capabilities. Being available to anybody with programming knowledge, Quasar became a widely used RAT which was even featured in an attack targeted at the American government.

However, unlike other more advanced Trojans, Quasar does not have extremely sophisticated anti-analysis features, which makes setting up robust cyber-defense an easier task, especially when using malware hunting services like ANY.RUN to simplify and streamline the research process.

IOCs

IP addresses
50.19.218.16
208.95.112.1
208.95.112.1
174.129.199.232
54.243.147.226
23.23.83.153
54.225.92.64
3.19.3.150
54.235.187.248
185.5.251.143
185.140.53.201
23.21.72.212
193.161.193.99
23.23.229.94
18.222.249.59
79.134.225.74
194.67.209.81
89.132.106.28
79.134.225.11
51.89.171.244
Hashes
99066f2244a56ba16744b0a5403c5781df430757e0ff4f6595eb86e1fdf34dff
2288da6767af6f614225e8c4694f7e07c83df7a2b53a222506cdd37d330f5520
8217bb3c0f0181f9e3006e38313aa82e55eb4dad3a96b6234ebce76932981999
4ceb14edd4a681997c99255b3b4895c0012a735e5f4ac0323e9c97f102ad5725
2563aa6cb1d5499e5db50b1d506eaf02fe25fc0c5c36f06ab0ab1ec4de958607
4e9e02f9b59d580cee08f8f3e7804f7a8f8b12c93e027ba6fd211ac4815e98fa
c809f3f6d324972d7bf1afabcc3567a3f6b007a16bc517a7f3fcec5497e53f20
4ab6c365d1c816c964152c234ce77ab91d8a24843d4f0a22bff9c8306b986e63
459d0aee20ec2bd3073768d8a144f6c2c35f6d9bc7aee3559a053655a0806066
b09615a161724af685d9cafb4207e22dd4f64abc336976fd23c2fd8d438a7b3e
b3cd2d9c111002d130ae7a09744a416e86e2917d5d55bbfc3092f0647c490632
6143e6ad25f939435c32bc30008f6027305d082bc7b19dbd58693a5d36a38f68
8e6b80be8d4fec5a572c0df12d6497cf85de7299ea6f2a3ff800dfb46e19f0d6
6399d9e81f94ece58fd97a38652fddc56c56cb1b43098f634fe81c8892110280
0b99a743bdfb0808dbfeacda1ecf13064185de89e85d47991ca7093b41e24b4f
df136fc170c7a500d7d755ab31bdea8793cd0aa090586f8a4017c858e5052094
cd2d3659b0d7e37d4c1da87f1a670291319092fd434558f518af2434a200136b
e61e661c7a69c0a293c577e4ca3f0613db6e9b08bad251eb4f5f25075708a5da
b46f99c57e0a9800528ad010c59d546c5dccf1493a7a9a346c9fe6fb648d65c1
f07fa2b1ba8a81e56ae70a039f98dea2aa0acc8c46e84c90a27fc4b48205ac5e
Domains
demo.ip-api.com
majul.com
www.freegeoip.net
thuocnam.tk
m-onetrading-jp.com
krupskaya.com
isns.net
elx01.knas.systems
bnow.duckdns.org
slimmy1.duckdns.org
tools4money1.duckdns.org
1338099.ddns.net
qxq.ddns.net
feed.monad-rtb.com
c22e7809.ngrok.io
01f76126.ngrok.io
elumadns.eluma101.com
engrs.warzonedns.com
e4280.g.akamaiedge.net
muchm0ney.tk

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.
Read More
AgentTesla screenshot
AgentTesla
agenttesla trojan rat stealer
Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
Read More