Quasar: A Remote Access Trojan
- Quasar RAT, an open-source program Remote Access Trojan that has various malicious capabilities;
- It was designed by a GitHub user for legitimate purpose, but due to capabilities it is being exploited by attackers to carry out malicious tasks.
- The attack campaign can be spying around user’s activities, download and upload files, record keystrokes, webcam and microphone and steal important data.
Quasar is detected as a “Remote Access Trojan” that can be used to carry out various attacks campaigns. The Trojan is designed to target Windows-based OS and is an open-source project available publicly.
The RAT Trojan Quasar was developed by MaxXor-a GitHub user and is written in C# programming language. It was first released in July 2014 as “xRAT 2.0” and was later renamed as “Quasar.” However, the program was designed for legitimate purposes due to its capabilities, but threat actors are now exploiting it for accomplishing various severe attack campaigns.
Distribution campaigns of Quasar
The RAT is being widely distributed via various methods carrying out attacks widely. Some of the attack campaigns carried out by Quasar are:
The Gaza Group Targets Government Institutions as in January 2017. Discovered by “Palo Alto Networks” a cyber-threat group named Gaza that started DustSky campaign. The attack campaign targets government institutions within the Middle East. The payloads of the Quasar RAT were dropped within the “Downeks downloader” that finally installs the RAT on the targeted systems.
Ukranian Ministry of Defense Attack:
The Quasar RAT was again came to light in January 2018 for all the wrong reasons. This time the target was Ukranian Ministry of Defense that aims to steal sensitive information like username, logins, system related information, clipboard data and keystrokes. The attack was carried out using the Quasar RAT and VERMIN- a dubbed custom- malware. The malicious payloads were distributed via decoy documents.
Apart from above,Quasar RAT followed multiple attacks in 2018.
A Malware campaign were distributed via RTF documents:
Researchers in February 2018, found a malware campaign that uses malicious RTF document to drop the payloads of Quasar RAT and NetWiredRC RAT. The malicious RTF documents were contained within the macro-enabled Microsoft Excel sheet. The malicious document runs the macros which executes a power shell command to further download a VBS file. The malicious VBS file was used to terminate all the legitimate running instances of Microsoft Word and Excel and the final payload of the malware is downloaded and installed.
APT10 Group Runs attack campaigns using PlugX and Quasar RAT:
The recent Quasar RAT attacks was observed in May 2019, when APT10-a china based cyber-espionage group launched attack campaigns against government and private organizations mainly in Southeast Asia. The alleged group APT10 uses various distribution methods to launch the attacks. Mainly two loader variants PlugX and Quasar RAT were used in attack campaign.
Capabilities of Quasar RAT
Due to the huge capabilities of Quasar RAT, it attracted various threat-actors to launch attack campaigns against government and big organizations. Its capabilities include:
- Manage tasks and files;
- Download, upload, and retrieve files;
- Terminate connections and kill processes;
- Configure and build client executable;
- Compress and encrypt communication;
- Execute computer commands;
- Open a remote desktop connection;
- Capture screenshots and record webcam;
- Reverse proxy and edit registry;
- Spy on the user’s actions;
- Key-logger and password stealing.
Remote Access Trojans can be very destructive. It not only targets government and organizations, but some targeted individuals can be affected. According to the above mentioned capabilities of Quasar RAT, users must be careful while downloading any email attachment from unknown sender, and keep regularly updating software and applications for patches. If your computer is attacked by a Remove access Trojan then, better use a powerful anti-malware to scan and remove the Trojan threat, here is a Trojan removal guide to assist you.