QuasarRAT [1] [2] [3] [4] [5] [6] [7], also known as CinaRAT or Yggdrasil [2] [3] [6], is an open-source remote administration tool (RAT) that poses a significant threat in the cybersecurity landscape. This article explores the capabilities and techniques used by QuasarRAT to infiltrate compromised Windows hosts.
Description
QuasarRAT utilizes DLL side-loading, a sophisticated technique [4] [5] [6], to stealthily extract data from compromised Windows hosts [1]. By leveraging trusted Microsoft files like “ctfmonexe” and “calexe,” the attackers execute malicious activities while hiding within legitimate system or software processes. This technique allows QuasarRAT to evade detection and infiltrate the system. The payload further complicates detection by using process hollowing to embed itself into a legitimate system process [4].
Researchers Tejaswini Sandapolla and Karthickkumar Kathiresan have published a report on QuasarRAT [1] [2] [3] [4] [5] [6] [7]’s use of DLL side-loading to evade detection and steal data from compromised Windows hosts. QuasarRAT, a C#-based remote administration tool [2], is capable of gathering system information [2], running applications [2], files [1] [2] [3] [4] [5] [6] [7], keystrokes [2] [3], screenshots [2] [3], and executing shell commands [2] [3].
The attack begins with an ISO image file containing three files [2] [3], including a legitimate binary named ctfmonexe [2] [3], which is renamed as eBill-997358806exe [2]. When this binary is executed [2] [3], it initiates the loading of a file titled MsCtfMonitordll via DLL side-loading [2], concealing malicious code [2] [3]. The hidden code is another executable called FileDownloaderexe [2], which is injected into Regasmexe to launch the next stage [2]. An authentic calexe file is then loaded, which in turn loads the rogue Secure32dll through DLL side-loading [2], ultimately launching the final QuasarRAT payload [2] [3].
Once established, the trojan establishes connections with a remote server to send system information and sets up a reverse proxy for remote access to the compromised endpoint [2] [3]. The exact identity of the threat actor and the initial access method remain unknown [2] [3], but phishing emails are suspected to be involved in the distribution of this malware [3].
Conclusion
To protect against QuasarRAT and its new capabilities [6], it is crucial to maintain up-to-date software [5] [6], practice vigilant email practices [5] [6], and implement advanced security solutions [4] [5] [6]. Collaboration with cybersecurity experts and information sharing within the industry can also help stay informed about evolving threats [5]. By taking these precautions, users can mitigate the risks posed by QuasarRAT and similar cybersecurity threats in the future.
References
[1] https://www.cyberevive.com/2023/10/23/quasar-rat-leverages-dll-side-loading-to-fly-under-the-radar/
[2] https://cybersocialhub.com/csh/quasar-rat-leverages-dll-side-loading-to-fly-under-the-radar/
[3] https://cybermaterial.com/quasar-rat-exploits-dll-side-loading/
[4] https://cybersecurity-see.com/quasarrat-utilizes-advanced-dll-side-loading-technique/
[5] https://www.infosecurity-magazine.com/news/quasarrat-deploys-dll-side-loading/
[6] https://osintcorp.net/quasarrat-deploys-advanced-dll-side-loading-technique/
[7] https://www.guardianmssp.com/2023/10/23/quasar-rat-leverages-dll-side-loading-to-fly-under-the-radar/
