What do we know about Quasar RAT? A review.

This blog post was authored by Veronica Valeros (@verovaleros), on 2019-02-17

This blog post aims to give an overview of what do we know so far about the Quasar RAT, and provide an exhaustive list of references associated with this piece of software.

Quasar RAT UI showing a list of infected victims, and some of the capabilities of the RAT. Credits: https://n0where.net/free-open-source-remote-administration-tool-for-windows-quasarrat

Quasar RAT UI showing a list of infected victims, and some of the capabilities of the RAT.
Credits: https://n0where.net/free-open-source-remote-administration-tool-for-windows-quasarrat

Quasar is a Remote Access Tool/Trojan whose development started in July 2014 [1], according to the GitHub Repository of the user MaxXor [1]. Originally, the RAT was known as xRAT. With the release of version 1.0.0.0 in August 2015, the author decided to leave the name xRAT behind and adopt the new name, Quasar RAT [3][4][16].

Quasar is a RAT written in C#, and supports a wide variety of Windows OS versions including Windows XP SP3, Windows Server 2003/2008/2012, Windows 7, 8/8.1, and 10 [1]. The code has been licensed with a MIT License [2], which allows free distribution, modification, private use, and commercialization. Since its origin, the project has been forked more than 900 times, and has undergone heavy development.

Code Frequency Quasar RAT since its origin in 2014. Source: https://github.com/quasar/QuasarRAT/

Code Frequency Quasar RAT since its origin in 2014. Source: https://github.com/quasar/QuasarRAT/

CORE FUNCTIONALITY

The author advertises the tool as useful for a variety of purposes, “from user support through day-to-day administrative work to employee monitoring”, thanks to its “high stability and easy-to-use interface” [1]. Quasar has an interesting list of features, which is interestingly increasing over time. The project has a roadmap which includes features that will make the tool more secure and easier to use.

Quasar has typical features of remote access tools/trojans, listed below. However, one of its more important features is that it works on Windows 10, making it a preferred tool for administrators and attackers who are leaving behind some old RATs and replacing them with Quasar.

  • Task Manager

  • File Manager

  • Startup Manager

  • Remote Desktop

  • Remote Shell

  • Download & Execute

  • Upload & Execute

  • System Information

  • Computer Commands (Restart, Shutdown, Standby)

  • Keylogger (Unicode Support)

  • Password Recovery/Stealing (Common Browsers and FTP Clients)

  • Registry Editor

REMOTE ACCESS TOOL, TROJAN, OR BOTH

Quasar has become a great tool for legitimate uses in the day-to-day administrative work. However, an open-source like this could rarely go unnoticed by attackers.

In January 2017, Palo Alto Networks published a report [5] in which they mentioned that Quasar RAT was delivered using the Downeks downloader in a targeted attack in September 2016 (dubbed ‘DuskSky’) by the Gaza Cybergang group. TripWire wrote more on Downeks and Quasar in February 2017, see [6].

In April 2017, PwC published a report [19] detailing recent activities by Chinese-based threat actor APT10. In their report, researchers mentioned that starting in 2016, the threat actor has renewed their tools incorporating and modifying open-source tools, Quasar RAT among them. The report mentions that Quasar RAT has been seen used by ATP10 since early 2017.

In December 2017, TrendMicro wrote [20] about the activities of an espionage group known as Patchwork or Dropping Elephant. The group, that targets government and diplomatic agencies, used Quasar RAT as payload in some of their targeted attacks during 2017. The RAT was delivered via Drive-By download attacks.

In January 2018, Unit 42 from Palo Alto Networks mentioned [10] that Quasar RAT along with a new RAT dubbed VERMIN were observed in targeted attacks against Ukraine since late 2015. In July of the same year, ESET reported with more detail [13] on the ongoing targeted attacks against Ukraine government institutions with the purpose of spying and stealing information. In this report, ESET mentioned that Quasar RAT was used along side two other RATs including Vermin and Sobaken [13].

Quasar is not the first, nor the last, open source remote access tool or trojan. There are dozens of RATs being developed and free to download, including AsyncRAT, Powershell-RAT, Lime-Controller, microRAT, and pupy RAT.

INTERESTING VARIANTS

Some forks from Quasar RAT are quite interesting. One of them [23] accepts donations in BTC to the wallet: 17eAafhEYnxmnj2nQ92tDFdDzATL27gcj. Even though the fork doesn’t seem very active, it has received some donations as you can see in the image below.

A fork [23] from Quasar RAT is accepting donations to help the project move forward. Source: https://www.blockchain.com/btc/address/17eAafhEYnxmnj2nQ92tDFdDzATL27gcj

A fork [23] from Quasar RAT is accepting donations to help the project move forward. Source: https://www.blockchain.com/btc/address/17eAafhEYnxmnj2nQ92tDFdDzATL27gcj

CONCLUSION

In several reports including one from the US CERT [16], they mention that Quasar is a legitimate tool, misused by attackers for “cyber-crime and cyber-espionage”. Is it a remote administration tool? or is it a remote access trojan? The line is hard to draw. It is clear how malicious actors love the tool, so we can expect we will continue seeing Quasar being used in malicious campaigns.

Network traffic excerpt from the US CERT report [16]. “Quasar uses the first 4 bytes of the TCP payload to track the payload’s total size in little-endian format.”, and this can be used to identify Quasar in the network.  Source: https://www.us-cert.gov/ncas/analysis-reports/AR18-352A

Network traffic excerpt from the US CERT report [16]. “Quasar uses the first 4 bytes of the TCP payload to track the payload’s total size in little-endian format.”, and this can be used to identify Quasar in the network.
Source: https://www.us-cert.gov/ncas/analysis-reports/AR18-352A

REFERENCES

  1. Quasar RAT. GitHub Repository. (2014, Jul 8). Retrieved from: https://github.com/quasar/QuasarRAT/. Accessed on 2019-02-17.

  2. MIT License. Wikipedia. Retrieved from: https://en.wikipedia.org/wiki/MIT_License. Accessed on 2019-02-17.

  3. Quasar Release v1.0.0.0. GitHub Repository. (2015, Aug 22). Retrieved from: https://github.com/quasar/QuasarRAT/releases/tag/v1.0.0.0. Accessed on 2019-02-17.

  4. Quasar RAT. (2016, Sep 26). Retrieved from: https://rat-db.blogspot.com/2016/09/quasar-rat.html. Accessed on 2019-02-17.

  5. Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments. Sapir, M., Bar, T., Rimer, N., Malivanchuk, T., Samuel, Y., Conant, S. Unit 42, Palo Alto Networks. (2017, Jan 30). Retrieved from: https://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/. Accessed on 2019-02-17.

  6. Gaza Cybergang Group Targeting ME Governments with Downeks, Quasar RAT. Bisson, D. TripWire. (2017, Feb 2). Retrieved from: https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/gaza-cybergang-group-targeting-governments-downeks-quasar-rat/. Accessed on 2019-02-17.

  7. Free Open Source Remote Administration Tool for Windows: Quasar RAT. CyberPunk. (2017, Nov 14). Retrieved from: https://n0where.net/free-open-source-remote-administration-tool-for-windows-quasarrat. Accessed on 2019-02-17.

  8. Anon Hacks, another distributor of malware packed with CyberSeal on Youtube. (2017, Jul 12). Retrieved from: https://krabsonsecurity.com/2017/07/12/anon-hacks-another-distributor-of-cyberseal-on-the-youtube-exploit-kit/. Accessed on 2019-02-17.

  9. Chinese APT10 Intrusion Activities Target Worldwide Government, Cloud-Computing MSPs and Customer Networks. RedSkyAlliance (2017). Retrieved from: https://redskyalliance.org/finished-analysis/chinese-apt10-intrusion-activities-target-worldwide-government-cl?context=tag-quasar+rat. Accessed on 2019-02-17.

  10. VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Unit 42, Palo Alto Networks. (2018, Jan 29). Retrieved from: https://unit42.paloaltonetworks.com/unit42-vermin-quasar-rat-custom-malware-used-ukraine/. Accessed on 2019-02-17.

  11. Quasar RAT. New Jersey Cybersecurity & Communications Integration Cell. (2018, Jan 31). Retrieved from: https://www.cyber.nj.gov/threat-profiles/trojan-variants/quasar-rat. Accessed on 2019-02-17.

  12. Malicious RTF document leading to NetwiredRC and Quasar RAT. Yadav, A., Kumar, A., Singh, N. ZScaler. (2018, Feb 20). Retrieved from: https://www.zscaler.com/blogs/research/malicious-rtf-document-leading-netwiredrc-and-quasar-rat. Accessed on 2019-02-17.

  13. Quasar, Sobaken and VERMIN: A deeper look into an ongoing espionage campaign. Osis, K. .ESET. (2018, Jul 16). Retrieved from: https://www.welivesecurity.com/wp-content/uploads/2018/07/ESET_Quasar_Sobaken_Vermin.pdf. Accessed on 2019-02-17.

  14. Buggy implementation of CVE-2018-8373 vulnerability used to deliver Quasar RAT. Segura, J. MalwareBytes Lab. (2018, Sep 26). Retrieved from: https://blog.malwarebytes.com/threat-analysis/2018/09/buggy-implementation-of-cve-2018-8373-used-to-deliver-quasar-rat/. Accessed on 2019-02-17.

  15. Catch Painful TTPs for Adversaries. Takeuchi, H., Yanagishita, H. HitCon Conference. (2018, Dec 14). Retrieved from: https://hitcon.org/2018/pacific/downloads/1214-R2/1330-1400.pdf. Accessed on 2019-02-17.

  16. Quasar Open-Source Remote Administration Tool. US CERT. (2018, Dec 18). Retrieved from: https://www.us-cert.gov/ncas/analysis-reports/AR18-352A. Accessed on 2019-02-17.

  17. Malpedia. (N/A). Retrieved from: https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat. Accessed on 2019-02-17.

  18. Exterminating a RAT. FireEye. (N/A). Retrieved from: https://www.fireeye.com/content/dam/fireeye-www/products/pdfs/pf/faas/cs-quasarrat.pdf. Accessed on 2019-02-17.

  19. Operation Cloud Hopper: Technical Annex. PwC. (2017, April). Retrieved from: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf. Accessed on 2019-02-17.

  20. Untangling the Patchwork Cyberespionage Group: technical brief. Lunghi, D., Horejsi, J., Pernet, C. TrendMicro. (2017, April). Retrieved from: https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf. Accessed on 2019-02-17.

  21. Patchwork APT Group Targets US Think Tanks. Meltzer, M., Koessel, S., Adair, S. Volexity. (2018, Jun 7). Retrieved from: https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/. Accessed on 2019-02-17.

  22. The Gorgon Group: Slithering Between Nation State and Cybercrime. Falcone, R., Fuertes, D., Grunzweig, J., Wilhoit, K. Unit 42. Palo Alto Networks. (2018, Jun 7). Retrieved from: https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/. Accessed on 2019-02-17.

  23. Quasar RAT fork. Github. Retrieved from: https://github.com/mirkoBastianini/Quasar-RAT. Accessed on 2019-02-17