What is Quasar malware?
Quasar is a remote access trojan is used by the attackers to take remote control of infected machines. It is written using the .NET programming language and available to a wide public as an open-source project, making it a popular RAT that was featured in a number of attacks.
General description of Quasar
Quasar was first discovered in 2015 by security researchers, who, at the time, speculated that this RAT was written by an in-house development team after performing the analysis of a sample. Quasar is an evolution of an older malware called xRAT and some of its samples can carry out as much as 16 malicious actions.
Over the course of its lifetime, the malware has been updated several times, improving its overall functionality. The last version of the malware which was developed by the original author is v. 1.3.0.0. It was released in 2016. Since that time several third parties have adapted the RAT and issued their own version, both minor and major with the last major version being v. 2.0.0.1.
The RAT we are reviewing today consists of two main components – the server-side component and the client-side component. The server is equipped with a graphical user interface and it is used for managing connections with the client-side programs. The server-side component is also utilized to build malware samples which are eventually delivered to potential victims. Malware user has an option to select attributes and customize the executable to fit the needs of the attacker.
The functionality of the resulting malware includes remote file management on the infected machine, registry alterations, recording the actions of the victim, establishing remote desktop connections and more.
It should be noted that Quasar execution can unfold completely silently, thus, once the victim downloads and launches the client, usually delivered in a document via email, it can stay active for a long period of time, stealing data and giving the hacker control over the infected PC. The malware does generate a process which can be discovered using the Windows Task Manager or a similar application, but active user actions are required to discover Quasar presence on a machine.
As far as creators of this malware are concerned, the group of people or a person behind the original version of this malware managed to remain anonymous. The little known information that we do have does not go beyond the name of the GitHub page author which states simply “quasar”.
As evident from the description on the “official” Quasar GitHub page, this malware is presented as a legitimate remote administration program, which is clearly misleading. In fact, Quasar was featured in an attack aimed at the US government early in 2017. Later the same year another wave of attacks using this malware occurred, this time targeting the private sector.
Quasar malware analysis
The execution process of this malware can be viewed in a video recorded in the ANY.RUN malware hunting service, allowing to take a look at how the contamination process unfolds.
Figure 1: Displays the lifecycle of Quasar in a visual form, as shown on the graph generated by ANY.RUN.
Figure 2: Shows a customizable text report generated by the ANY.RUN malware hunting service.
Quasar execution process
Quasar execution is pretty straightforward but can vary in minor details from sample to sample. In a given example, Quasar was dropped from a Microsoft Office file. The dropped file changed the registry value to make itself run with every operating system start, checked for external IP and also copied itself at another location. After all these steps, the malware started the main malicious activity - collecting information about the operating system and waiting for commands from the C2 server.
How to avoid infection by Quasar?
Quasar writes itself into scheduled tasks and uses registry keys to achieve persistence, allowing the malware the run every time a machine is started. The persistence method is chosen based on user privileges. As such, if the user has admin rights, the malware uses schtasks to create a scheduled task which launches after a user logs on with the highest run level. If admin rights are lacking, then the scheduled task can only go as far as to add a registry value which is configured in the client builder and added to the current path as the startup program.
Distribution of Quasar
Just as most of the other RATs, Quasar is distributed in email spam campaigns that carry the malware’s loader. The loader is embedded in a malicious file attachment which usually carries a name designed to trick the user into thinking that he or she is receiving some sort of a document. Sometimes these files will have a double extension such as docx.exe. This is done to trick the victim into thinking that the attached file is harmless. Of course, once opened, such files start a command prompt rather than Microsoft Office.
How to detect Quasar using ANY.RUN?
ANY.RUN uses Suricata IDS rule sets so if malware trying to communicate with C&C servers it will be detected. To look at what threats were detected just click on the "Threats" section of the "Network" tab.
Figure 3: Quasar network threats
Conclusion
Quasar is a powerful open-source malware equipped with a robust persistence mechanism and a complete feature set of malicious capabilities. Being available to anybody with programming knowledge, Quasar became a widely used RAT which was even featured in an attack targeted at the American government.
However, unlike other more advanced Trojans, Quasar does not have extremely sophisticated anti-analysis features, which makes setting up robust cyber-defense an easier task, especially when using malware hunting services like ANY.RUN to simplify and streamline the research process.
