Cybersecurity researchers at Cofense uncovered an advanced campaign spreading Quasar Remote Access Tool (RAT) that uses multiple anti-analysis methods to camouflage the infection vectors. The Quasar RAT is being delivered through phishing messages with a fake resume attached. The Quasar RAT is freely available as an open-source tool on public repositories and has a number of capabilities, including the ability to open remote desktop connections, log the victims' key strokes and steal their passwords, capture screen snapshots and record webcams, download and exfiltrate files, and to manage processes on infected computers.
The Quasar RAT has been previously seen in multiple campaigns conducted by a wide range of hacking groups, including APT33, APT10, Dropping Elephant, Stone Panda, and The Gorgon Group.
In observed campaign the attackers use several tricks to avoid detection leveraging methods such as password protection and encoded macros. The initial email used to deliver the malware uses a relatively common “resume” theme with an attached document. The fake resumes distributed in this phishing campaign are password-protected Microsoft Word documents. The samples analyzed by the team used ‘123’ as password that was included in the phishing message. Once the document is opened, it will ask for macros to be enabled to start the infection process. The macros also includes base64 encoded garbage code designed to crash analysis tools.
“If an analyst or automated system were then to attempt to analyze the macros using an analysis tool (such as the popular tool ‘olevba’ by Philippe Lagadec), the script would fail and potentially crash from using too much memory when it attempted to analyze the macro. This is likely an intentional effect by the threat actor in the form of more than 1200 lines of garbage code that appears to be base64 encoded. Forcing the script to attempt to decode the garbage strings causes, in all likelihood, a crash due to the magnitude of decoding required” said the researchers.
The experts also found that parts of the payload URL, along with additional information, are hidden as meta-data for embedded images and objects. If the macro is successfully run, it will display a series of images claiming to be loading content while repeatedly adding a garbage string to the document contents. It will then show an error message while downloading and running a malicious executable in the background.
The last measure that the operators of this campaign use to avoid detection involves the downloading of a Microsoft Self Extracting executable, then the Quasar RAT is dropped on the now compromised system.
“This executable then unpacks a Quasar RAT binary that is 401MB. The technical maximum file upload size for the popular malware information sharing website, VirusTotal, is 550 MB. However, the commonly used public methods of submission, email and API, are set to 32MB maximum with special circumstances for API submission going up to 200MB. By using an artificially large file size the threat actors make sharing information difficult while also causing problems for automated platforms that attempt to statically analyze the content” reads the report.
Indicators of compromise (IoCs), as well as MD5 hashes of malware artifacts are included in the last part of Cofense's blog post.