27 August 2019

Cybercriminals deliver Quasar RAT via advanced phishing campaign

Cybercriminals deliver Quasar RAT via advanced phishing campaign

Cybersecurity researchers at Cofense uncovered an advanced campaign spreading Quasar Remote Access Tool (RAT) that uses multiple anti-analysis methods to camouflage the infection vectors. The Quasar RAT is being delivered through phishing messages with a fake resume attached. The Quasar RAT is freely available as an open-source tool on public repositories and has a number of capabilities, including the ability to open remote desktop connections, log the victims' key strokes and steal their passwords, capture screen snapshots and record webcams, download and exfiltrate files, and to manage processes on infected computers.

The Quasar RAT has been previously seen in multiple campaigns conducted by a wide range of hacking groups, including APT33, APT10, Dropping Elephant, Stone Panda, and The Gorgon Group.

In observed campaign the attackers use several tricks to avoid detection leveraging methods such as password protection and encoded macros. The initial email used to deliver the malware uses a relatively common “resume” theme with an attached document. The fake resumes distributed in this phishing campaign are password-protected Microsoft Word documents. The samples analyzed by the team used ‘123’ as password that was included in the phishing message. Once the document is opened, it will ask for macros to be enabled to start the infection process. The macros also includes base64 encoded garbage code designed to crash analysis tools.

“If an analyst or automated system were then to attempt to analyze the macros using an analysis tool (such as the popular tool ‘olevba’ by Philippe Lagadec), the script would fail and potentially crash from using too much memory when it attempted to analyze the macro. This is likely an intentional effect by the threat actor in the form of more than 1200 lines of garbage code that appears to be base64 encoded. Forcing the script to attempt to decode the garbage strings causes, in all likelihood, a crash due to the magnitude of decoding required” said the researchers.

The experts also found that parts of the payload URL, along with additional information, are hidden as meta-data for embedded images and objects. If the macro is successfully run, it will display a series of images claiming to be loading content while repeatedly adding a garbage string to the document contents. It will then show an error message while downloading and running a malicious executable in the background.

The last measure that the operators of this campaign use to avoid detection involves the downloading of a Microsoft Self Extracting executable, then the Quasar RAT is dropped on the now compromised system.

“This executable then unpacks a Quasar RAT binary that is 401MB. The technical maximum file upload size for the popular malware information sharing website, VirusTotal, is 550 MB. However, the commonly used public methods of submission, email and API, are set to 32MB maximum with special circumstances for API submission going up to 200MB. By using an artificially large file size the threat actors make sharing information difficult while also causing problems for automated platforms that attempt to statically analyze the content” reads the report.

Indicators of compromise (IoCs), as well as MD5 hashes of malware artifacts are included in the last part of Cofense's blog post.

 

Back to the list

Latest Posts

Smominru botnet infected over 90K Windows computers in just one month

Smominru botnet infected over 90K Windows computers in just one month

The botnet compromises machines using various methods, the prominent ones being the EternalBlue exploit and brute-force of different services and protocols.
20 September 2019
New TortoiseShell group hits 11 IT providers in Saudi Arabia to compromise their customers

New TortoiseShell group hits 11 IT providers in Saudi Arabia to compromise their customers

To compromise their targets the group used a unique malware called Backdoor.Syskit.
19 September 2019
“Unsophisticated” Panda threat group makes thousands of dollars using RATs and cryptominers

“Unsophisticated” Panda threat group makes thousands of dollars using RATs and cryptominers

While not highly sophisticated, the Panda group is considered one of the most active attackers on today’s cybercriminal scene.
18 September 2019