QuasarRAT
Associated Software Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism:Bypass User Account Control | QuasarRAT can generate a UAC pop-up Window to prompt the target user to run a command as the administrator.[5] |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder | If theQuasarRAT client process does not have administrator privileges it will add a registry key to |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter:Windows Command Shell | QuasarRAT can launch a remote shell to execute commands on the victim’s machine.[1][5] |
| Enterprise | T1555 | Credentials from Password Stores | QuasarRAT can obtain passwords from common FTP clients.[1][2] | |
| .003 | Credentials from Web Browsers | QuasarRAT can obtain passwords from common web browsers.[1][2] | ||
| Enterprise | T1005 | Data from Local System | QuasarRAT can retrieve files from compromised client machines.[5] | |
| Enterprise | T1573 | .001 | Encrypted Channel:Symmetric Cryptography | QuasarRAT uses AES with a hardcoded pre-shared key to encrypt network communication.[1][2][5] |
| Enterprise | T1564 | .001 | Hide Artifacts:Hidden Files and Directories | QuasarRAT has the ability to set file attributes to "hidden" to hide files from the compromised user's view in Windows File Explorer.[5] |
| .003 | Hide Artifacts:Hidden Window | QuasarRAT can hide process windows and make web requests invisible to the compromised user. Requests marked as invisible have been sent with user-agent string | ||
| Enterprise | T1105 | Ingress Tool Transfer | QuasarRAT can download files to the victim’s machine and execute them.[1][2] | |
| Enterprise | T1056 | .001 | Input Capture:Keylogging | |
| Enterprise | T1112 | Modify Registry | QuasarRAT has a command to edit the Registry on the victim’s machine.[1][5] | |
| Enterprise | T1095 | Non-Application Layer Protocol | ||
| Enterprise | T1571 | Non-Standard Port | QuasarRAT can use port 4782 on the compromised host for TCP callbacks.[5] | |
| Enterprise | T1090 | Proxy | QuasarRAT can communicate over a reverse proxy using SOCKS5.[1][2] | |
| Enterprise | T1021 | .001 | Remote Services:Remote Desktop Protocol | QuasarRAT has a module for performing remote desktop access.[1][2] |
| Enterprise | T1053 | .005 | Scheduled Task/Job:Scheduled Task | QuasarRAT contains a .NET wrapper DLL for creating and managing scheduled tasks for maintaining persistence upon reboot.[2][5] |
| Enterprise | T1553 | .002 | Subvert Trust Controls:Code Signing | AQuasarRAT .dll file is digitally signed by a certificate from AirVPN.[2] |
| Enterprise | T1082 | System Information Discovery | QuasarRAT can gather system information from the victim’s machine including the OS type.[1] | |
| Enterprise | T1614 | System Location Discovery | QuasarRAT can determine the country a victim host is located in.[5] | |
| Enterprise | T1016 | System Network Configuration Discovery | QuasarRAT has the ability to enumerate the Wide Area Network (WAN) IP through requests to ip-api[.]com, freegeoip[.]net, or api[.]ipify[.]org observed with user-agent string | |
| Enterprise | T1033 | System Owner/User Discovery | ||
| Enterprise | T1552 | .001 | Unsecured Credentials:Credentials In Files | |
| Enterprise | T1125 | Video Capture | ||
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0040 | Patchwork | |
| G0140 | LazyScripter | |
| G0078 | Gorgon Group | |
| G0094 | Kimsuky | |
| G0045 | menuPass | |
| G0135 | BackdoorDiplomacy |
References
- MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
- Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
- Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
- GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
- CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
- Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
- Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
- Mandiant. (2024, March 14). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved May 3, 2024.
- Mandiant. (n.d.). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved October 14, 2024.
- United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
- Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
- Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021