- A new phishing campaign discovered that uses fake resumes that are password-protected to distribute Quasar RAT.
- The campaign targets mainly Windows-based system and thus Windows users should stay alert.
- Quasar RAT (Remote Access Trojan) that allows remote desktop connection. Due to its various capabilities, it is widely used by cyber-attackers to steal login information, install key-loggers, download and install malicious programs, capturing screenshots and so on.
New Phishing Campaign Distributes Quasar RAT Via Fake Resumes
A new phishing campaign was detected by the Researchers of “Cofense,” that uses password-protected fake resume documents carrying the payloads of Quasar RAT.
Malspams are common trick used by cyber-crooks to distribute the payloads of the severe harmful threats in the form of infected documents. The threat-actors uses clever social engineering methods to target potential victims or sometimes shoots-out infectious emails in bulk. The emails may appear to be legitimate and contains some important document in the form of attachments.
The Fake Resume campaign
According to the researchers of Cofense, when they spotted the fake emails spreading the payloads of Quasar Remote administrative tool, they undertook multiple anti-analysis methods to uncover the vectors of the phishing campaign.
- The phishing emails distributed by the attackers uses a MS Word document that appears to be a “password-protected resume”.
- When the receiver of the email opens the attachment, they are promoted to enter ‘123’ as password.
- After the user does so, the fake resume document asks the user to enable the macros that starts executing the malicious code hidden within the document.
- The macros here comes in the form of “base64 encoded garbage code” that is designed to crash analysis tools.
- The fake document conceals the malicious payloads concealed within compromised URLs. Also various other information used for the downloading of the RAT has metadata embedded in the form of images and objects.
- Once users runs the macros, it will start displaying a series of images that further claims loading the contents.
- To successfully download and execute the Quasar RAT, the images add a garbage string repeatedly that shows an error message.
“If the macro is successfully run, it will display a series of images claiming to be loading content while repeatedly adding a garbage string to the document contents,” discovered by the Cofense researchers.“
“It will then show an error message while downloading and running a malicious executable in the background.”
“The last significant step the threat actors take to avoid discovery is to download a Microsoft Self Extracting executable. This executable then unpacks a Quasar RAT binary that is 401MB,” the researchers said.
The Quasar RAT
Quasar RAT is an open-source project that is written using C# programming language. However, the program was designed by a GitHub user for legitimate usage. But due to its potential capabilities, it is widely used by hacking groups and attackers to launch various severe attack campaigns.
Must Read: Quasar RAT. Various Attacks And Its Capabilities