Quasar RAT: Detecting Malicious Successors

Quasar remote administration tool (RAT) is a multi-functional and light-weight malware actively used by APT actors since 2014. Quasar’s code is publicly available as an open-source project, which makes the Trojan extremely popular among adversaries due to its broad customization options. As a result, a variety of samples exist inside the Quasar malware family. Many of them were used by nation-backed actors in their malicious campaigns. The latest notorious operation aimed at Quasar infection was launched by APT10.

Quasar RAT Description

Quasar is a remote access tool initially developed as a legitimate Windows utility for user support and employee monitoring. In fact, the developer promotes Quasar as an easy-to-use and highly stable remote access solution for admins, which is compatible with most Windows versions. The first variant of this tool was released in July 2014 and dubbed “xRAT,” however, in 2015 it was renamed as Quasar, presumably in an attempt to distinguish legitimate software from its malicious siblings.

After the tool was released on GitHub for free download in 2015, threat actors turned their sights to this multi-functional and customizable solution. For example, in 2017 Gaza Cybergang group leveraged Quasar RAT to target governments across the Middle East. In 2018 it was used by Patchwork APT to attack the US think tanks. In 2019 the malware was spotted in a sophisticated malicious campaign against the Ukrainian Government and military. Finally, at the end of 2020, researchers revealed a long-lasting operation of ATP10 aimed at industry-leading companies across Japan. Notably, the Chinese state-sponsored APT10 group (Cicada, Stone Panda) added Quasar to its toolkit far back in 2016, permanently using its custom-built versions to steal data.

The latest APT10 campaign used Quasar RAT to target major automotive, pharmaceutical, and engineering vendors in Japan. The subsidiaries located in 17 regions across the globe were also under attack aimed at reconnaissance purposes. Threat actors used a custom version of the threat, which slightly differs from its predecessor. Particularly, adversaries added the ability to download additional plugin modules, which makes the malware easily adaptable for the dynamically changing goals. Also, the communications and encryption routines were changed.

Quasar RAT: Attack Kill-Chain

Since Quasar RAT is broadly adopted by different hackers, from script-kiddies to APTs, lots of its customized versions might be found within the cyber threat arena. The list of successors includes CinaRAT, QuasarStrike, VenomRAT, VoidRAT, AsyncRAT, and more. However, the majority of malicious samples follow the same attack routine.

Quasar is typically delivered with the help of spam or phishing emails that have malicious files attached. Such an approach is reasonable since Quasar doesn’t include any vulnerability exploits. Hackers need to apply other malware or techniques to compromise the targeted instance before they use Quasar.

Upon execution, Quasar RAT achieves persistence by using two methods: scheduled tasks and registry keys. Further, the Trojan escalates its privileges by launching a command prompt (cmd.exe) as an admin. In case the Windows User Account Control (UAC) is configured, the malware triggers a UAC pop-up asking victims to accept the command prompt. Finally, the Quasar RAT starts its data-stealing activities. The Trojan has rather broad functionality which includes tasks and file managing, downloading files, terminating connections, killing processes, executing commands, opening remote desktop connections, taking screenshots, webcam recording, keylogging, password dumping, and more.

Quasar Detection

To enhance the detection and proactive defense from Quasar malware family samples, our Threat Bounty developer Osman Demir released a dedicated Sigma rule:

https://tdm.socprime.com/tdm/info/WWXWHb1OJ3yt/Eb9NTncBR-lx4sDxFU7L/#rule-context

The rule has translation to the following platforms: 

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye Helix

MITRE ATT&CK: 

Tactics: Execution, Persistence, Privilege Escalation

Techniques: Scheduled Task (T1053)

Get a subscription to the Threat Detection Marketplace to reduce the meantime of cyber-attack detection with our 90,000+ SOC content library. The content base enriches every day to detect the most alarming cyber threats at the earliest stages of the attack lifecycle. Have a desire to create your own curated content?  Join our Threat Bounty community for a safer future!