Quasar RAT: A sneak peek into the Remote Access Trojan’s capabilities

• Quasar Remote Access Trojan uses two methods to achieve persistence such as scheduled tasks and registry keys.
• Its capabilities include capturing screenshots, recording webcam, reversing proxy, editing registry, spying on the user’s actions, keylogging and stealing passwords.

Quasar is a publicly available open-source Remote Access Trojan (RAT) which primarily targets Windows OS systems. Quasar RAT is distributed via malicious attachments in phishing emails. This RAT is written in the C# programming language.

Quasar was developed by GitHub user MaxXor to be used for legitimate purposes. However, the RAT has been used by bad actors in cyber-espionage campaigns. Quasar RAT was first released in July 2014 as “xRAT 2.0.” and was later renamed as “Quasar” in August 2015.

The Remote Access Trojan uses two methods to achieve persistence - Scheduled tasks and Registry keys.

What are the capabilities of Quasar RAT?

Quasar RAT’s capabilities include:

• Managing tasks and files
• Downloading, uploading, and retrieving files
• Terminating connections and killing processes
• Configuring and building client executables
• Compressing and encrypting communication
• Executing computer commands
• Opening a remote desktop connection
• Capturing screenshots and recording webcam
• Reversing proxy and editing registry
• Spying on the user’s actions
• Keylogging and stealing passwords

DustSky campaign against governments

In January 2017, Palo Alto Networks observed Gaza threat actor group’s DustSky campaign targeting government institutions in the Middle East. The campaign installed the Downeks downloader, which in turn dropped the Quasar RAT on to victims’ computers.

Quasar RAT used in Ukraine

In January 2018, attackers targeted the Ukranian Ministry of Defense with the Quasar RAT and a custom malware dubbed VERMIN. The malware strains were distributed via decoy documents. The attack was aimed at stealing system information, usernames, keystrokes, and clipboard data.

Malware campaign drops Quasar RAT and NetWiredRC RAT

In February 2018, researchers observed a malware campaign that distributed the Quasar RAT and NetWiredRC RAT as final payloads via malicious RTF documents.

• The malicious RTF documents contained Microsoft Excel sheets that included a macro.
• The RTF documents force the users to enable the macro, upon which it executes the PowerShell command to download a malicious VBS file.
• The VBS file terminates all running instances of Microsoft Word and Excel process and finally downloads the payloads.

Attackers abuse RCE vulnerability to distribute Quasar RAT

A remote code execution vulnerability (tracked as CVE-2018-8373 ) with Internet Explorer’s scripting engine has been abused to distribute the Quasar RAT. This RCE vulnerability has been previously patched.

APT10 uses PlugX and Quasar RAT

In May 2019, researchers observed the Chinese cyber-espionage group APT10 using two loader variants and various payloads to launch attacks against government and private organizations in Southeast Asia.

• The two variants are PlugX and Quasar RAT.
• These loader variants drop malicious files such as Jjs.exe, jli.dll, Msvcrt100.dll, and svchost.bin to distribute additional payloads.