![]() If the user has admin rights, the malware uses schtasks to create a scheduled task that launches after a user logs on with the highest run level. The persistence method is chosen based on user privileges. Quasar trojan writes itself into scheduled tasks and uses registry keys to achieve persistence, allowing the malware the run every time a machine is started. Quasar allows malware users to collect host system data. After all these steps, the malware started the main malicious activity - collecting information about the operating system and waiting for commands from the C2 server. Then, the dropped file changed the registry value to run with every operating system start, checked for external IP, and copied itself at another location. In the given example, Quasar was dropped from a Microsoft Office file. The RAT's user-agent strings fake various processes such as a browser running on Windows. Quasar RAT execution processīased on the analysis, Quasar execution is pretty straightforward but can vary in minor details from sample to sample. The execution process of this malware can be viewed in a video recorded in the ANY.RUN malware hunting service, allowing to perform analysis of how the contamination process unfolds.įigure 1: Displays the lifecycle of Quasar in a visual form, as shown on the graph generated by ANY.RUN.įigure 2: Shows a customizable text report generated by the ANY.RUN malware hunting service. Later the same year, another wave of attacks using this malware occurred, targeting the private sector. In fact, Quasar was featured in an attack aimed at the US government early in 2017. As a result, the little-known information that we do have does not go beyond the name of the GitHub page author, which states “quasar.”Īs evident from the description on the “official” Quasar GitHub page, this malware is presented as a legitimate remote administration program, which is clearly misleading. The malware does generate a process that can be discovered using the Windows Task Manager or a similar application, but active user actions are required to discover Quasar trojan's presence on a machine.Īs far as creators of this malware are concerned, the group of people or a person behind the original version of this malware managed to remain anonymous. Thus, once the victim downloads and launches the Quasar client, usually delivered in a document via email, it can stay active for a long period of time, stealing data and giving the hacker control over the infected PC. It should be noted that Quasar's execution can unfold completely silently. All of the data including requests are sent to the host server with the user-agent strings. The functionality of the resulting malware includes remote file management on the infected machine, registry alterations, recording the actions of the victim, establishing remote desktop connections, and more. The Quasar client and server run on different OSs including all Windows versions. Malware users can select attributes and customize the executable to fit the attacker's needs. ![]() The Quasar client-server architecture is also utilized to build malware samples which are eventually delivered to potential victims. The server is equipped with a graphical user interface, and it is used for managing connections with the client-side programs. The RAT we are reviewing today consists of two main components – the server-side component and the Quasar client-side component. Since then, several third parties have adapted the RAT and issued their own version, both minor and major, with the last major version being v. The last version of the malware, which the original author developed, is v. ![]() Over the course of its lifetime, the malware has been updated several times, improving its overall functionality. However, Quasar is an evolution of an older malware called xRAT, and some of its samples can carry out as many as 16 malicious actions. Quasar RAT was first discovered in 2015 by security researchers, who, at the time, speculated that an in-house development team wrote this RAT after performing the analysis of a sample. NET programming language and is available to a wide public as an open-source project for Microsoft Windows operating systems, making it a popular RAT featured in many attacks. Quasar is a remote access trojan is used by attackers to take remote control of infected machines.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |