Quasar RAT

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

Type
Trojan
Origin
Unknown
First seen
1 January, 2015
Last seen
1 August, 2021
Global rank
13
Week rank
11
Month rank
12
IOCs
5905

What is Quasar RAT?

Quasar is a remote access trojan is used by attackers to take remote control of infected machines. It is written using the .NET programming language and available to a wide public as an open-source project, making it a popular RAT featured in many attacks.

General description of Quasar RAT

Quasar RAT was first discovered in 2015 by security researchers, who, at the time, speculated that an in-house development team wrote this RAT after performing the analysis of a sample. However, Quasar is an evolution of an older malware called xRAT, and some of its samples can carry out as many as 16 malicious actions.

Over the course of its lifetime, the malware has been updated several times, improving its overall functionality. The last version of the malware, which the original author developed, is v. 1.3.0.0. It was released in 2016. Since then, several third parties have adapted the RAT and issued their own version, both minor and major, with the last major version being v. 2.0.0.1.

The RAT we are reviewing today consists of two main components – the server-side component and the client-side component. The server is equipped with a graphical user interface, and it is used for managing connections with the client-side programs. The server-side component is also utilized to build malware samples which are eventually delivered to potential victims. Malware users can select attributes and customize the executable to fit the attacker's needs.

The functionality of the resulting malware includes remote file management on the infected machine, registry alterations, recording the actions of the victim, establishing remote desktop connections, and more.

It should be noted that Quasar's execution can unfold completely silently. Thus, once the victim downloads and launches the client, usually delivered in a document via email, it can stay active for a long period of time, stealing data and giving the hacker control over the infected PC. The malware does generate a process that can be discovered using the Windows Task Manager or a similar application, but active user actions are required to discover Quasar trojan's presence on a machine.

As far as creators of this malware are concerned, the group of people or a person behind the original version of this malware managed to remain anonymous. As a result, the little-known information that we do have does not go beyond the name of the GitHub page author, which states “quasar.”

As evident from the description on the “official” Quasar GitHub page, this malware is presented as a legitimate remote administration program, which is clearly misleading. In fact, Quasar was featured in an attack aimed at the US government early in 2017. Later the same year, another wave of attacks using this malware occurred, targeting the private sector.

Quasar RAT malware analysis

The execution process of this malware can be viewed in a video recorded in the ANY.RUN malware hunting service, allowing to take a look at how the contamination process unfolds.

process graph of the quasar stealer execution Figure 1: Displays the lifecycle of Quasar in a visual form, as shown on the graph generated by ANY.RUN.

text report of quasar analysis Figure 2: Shows a customizable text report generated by the ANY.RUN malware hunting service.

Quasar RAT execution process

Quasar execution is pretty straightforward but can vary in minor details from sample to sample. In the given example, Quasar was dropped from a Microsoft Office file. Then, the dropped file changed the registry value to run with every operating system start, checked for external IP, and copied itself at another location. After all these steps, the malware started the main malicious activity - collecting information about the operating system and waiting for commands from the C2 server.

How to avoid infection by Quasar?

Quasar trojan writes itself into scheduled tasks and uses registry keys to achieve persistence, allowing the malware the run every time a machine is started. The persistence method is chosen based on user privileges. If the user has admin rights, the malware uses schtasks to create a scheduled task that launches after a user logs on with the highest run level. If admin rights are lacking, then the scheduled task can only go as far as adding a registry value configured in the client builder and added to the current path as the startup program.

Distribution of Quasar RAT

Like most other RATs, Quasar is distributed in email spam campaigns that carry the malware’s loader. The loader is embedded in a malicious file attachment which usually carries a name designed to trick the user into thinking that they are receiving some sort of a document. Sometimes these files will have a double extension such as docx.exe. Again, this is done to trick the victim into thinking that the attached file is harmless. Of course, once opened, such files start a command prompt rather than Microsoft Office.

How to detect Quasar RAT using ANY.RUN?

ANY.RUN uses Suricata IDS rule sets, so if malware trying to communicate with C&C servers, it will be detected. To look at what threats were detected, just click on the "Threats" section of the "Network" tab.

quasar network threats Figure 3: Quasar network threats

Conclusion

Quasar trojan is a powerful open-source malware equipped with a robust persistence mechanism and a complete feature set of malicious capabilities. Being available to anybody with programming knowledge, Quasar became a widely used RAT which was even featured in an attack targeted at the American government.

However, unlike other more advanced Trojans, Quasar RAT does not have extremely sophisticated anti-analysis features, which makes setting up robust cyber-defense an easier task, especially when using malware hunting services like ANY.RUN to simplify and streamline the research process.

IOCs

IP addresses
208.95.112.1
3.138.45.170
213.8.166.188
3.134.39.220
58.158.177.102
3.131.147.49
3.22.15.135
3.138.180.119
52.14.18.129
3.22.53.161
193.161.193.99
157.240.9.35
3.142.167.4
3.136.65.236
3.134.125.175
88.198.193.213
3.128.107.74
3.132.159.158
3.14.182.203
3.13.191.225
Hashes
580a71c0e982baff3a56efed8d12e27ea4c1f5a4b849e222cebf42d55ab53988
90e649408e601349c5b587699fd7e88481510417085590385c30ef424e77e264
dd77c6edb770bbf3c72b69506ab7f21efdbd7eb60a20ad652109729202d40a46
ab67dafa162e1d8bca253b145418963614491593aedc0cbb35b6302e5e76ce7a
f699af711e690a2347060155fc60026f551d43d86fb6e2f2e1c0913ea78cceb4
b22b1527cc8f87abcc6bd08d4991bf29c9fb6ab8242a36687b5f58180897b00b
83d824648b5c0561f7484edb2b624a7a1f21d6c1fbeead856225c88af1cc219c
3a125ca1c60591d2a0dbf016b832f6215bbeb637eba091a9524140949e97288f
fc5f6cc8d03764fe32d8f73fe268a272ca050d4aeca675325beae99e4852e7da
bc169d7e892f240da2e0af0858f8dec83d20aed6e9dc2803885b604ea18ffc3d
52eaa40ddb033735d19404798c351f734bf46b57094e8c407d772d0185b73edf
5e3fda2db300f80971df29fc08cd13a2be3e501393e5d0d36c0c8a82fa66b420
825f5c976ef5b705c050a4e6d72f296ba12ce735c6b2436c4ccb7e7da44ef3e3
f8627fd099da0d37b50b346fb5226a4619881769a5566345d3e915aa5c713a8a
d96cc9ead4fbde5991c5e984f7bc59567ca2880f4e3ed2f61529cb41aac3291a
225ec264f119e821baf689ee6a2981568102d7fde9d1239a1d0e99e6e6912d4a
8154b7773905f1e0577dc27141236b194a3a7bba5dfbe20c599d0b7d6053a67a
39d83b66236e2440c84f1d33f6e9664627c1f1561165a958869f258ba2fe2b72
9eef6088f7ea75df8e3a850e82bf8ab644ddec2cec85b1900f00f63283cb5134
4a4a0f0c13fa75931f672331789ebf1609831fdeb9f16b2f97f53080c2187f33
Domains
booking.msg.bluhotels.com
booking.msg.bluhotels.com
dfsewrd.duckdns.org
2.tcp.ngrok.io
WindowsAuthentication324-49629.portmap.host
majul.com
kokohackpack.hopto.org
smtp.recornit.com
smtp.maizinternational.com
smtp.telenor-com.xyz
smtp.pdcblt.net
smtp.raymond-john.com
smtp.ametexegypts.info
smtp.nutritionauctores.com
smtp.radiologyauctores.com
smtp.gastroenterologyauctoresonline.org
smtp.sleepauctoresonline.org
smtp.fortvelle.com
cthree.msoftupdates.com
ctwo.msoftupdates.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More