Quasar RAT, an open-source remote access trojan also known as CinaRAT or Yggdrasil, has been spotted leveraging a new Microsoft file as part of its DLL sideloading process to stealthily drop malicious payloads on compromised Windows systems. In 2022, Uptycs researchers observed QBot malware employing the tactic via the Microsoft file ‘calc.exe’. Now, in 2023, threat actors behind Quasar RAT have adopted a similar method and are using two Microsoft files—ctfmon.exe and calc.exe—to execute payloads without raising suspicion.
Glance at the attack scenario
As documented by Uptycs, the attack uses an ISO image file that contains three files: a legitimate binary named ctfmon.exe that's renamed as eBill-997358806.exe, a MsCtfMonitor.dll file that's renamed as monitor.ini, and a malicious version of MsCtfMonitor.dll. The attacker hides a malicious DLL within "ctfmon.exe," which sets the stage for subsequent actions.
This triggers the malicious DLL, leading to the infiltration of the Quasar RAT payload into the computer's memory, showcasing the attacker's ability to bypass security measures.
Once the Quasar RAT payload is executed in the computer's memory, it further employs the process hollowing technique that allows it to conceal its malicious intent and make detection more challenging.
DLL sideloading gains traction
While DLL sideloading is not new, researchers are observing an increase in the adoption of the process by threat actors.
Recently, a newly discovered threat group named Grayling leveraged the tactic via SbieDll_Hook to load a variety of payloads, such as Cobalt Strike, NetSpy, and Havoc framework, onto the victims’ systems.
In another incident, a lesser-known Chinese threat actor, ToddyCat, leveraged DLL sideloading to execute malicious payloads against government and telecommunications organizations in Asian countries.
Conclusion
Since DLL sideloading primarily leverages links, emails, or attachments to hide malware, organizations are advised to be wary of such dubious and unfamiliar artifacts to stay safe. Additionally, it is recommended to deploy advanced endpoint security solutions to detect and block suspicious activity at the initial stage.