Quasar rat code#
This technique is based on code snippets from Microsoft DevCentre examples.
NET assembly in-memory using the CppHostCLR technique. Its primary purpose is to decrypt, load and invoke an embedded. The QuasarRAT loader typically arrives as a 64-bit service DLL. The following technical analysis focuses on the bespoke QuasarRAT loader developed by MenuPass and modifications made to the QuasarRAT backdoor.
Quasar rat install#
In later variants an additional component is also used to install the RAT as a service (a.k.a DILLJUICE). The encrypted QuasarRAT payload is stored in the Microsoft.NET directory, decrypted into memory, and instantiated using a CLR host application. The remote access Trojan (RAT) is loaded by a bespoke loader (a.k.a.
Quasar rat download#
It can collect system information, download and execute applications, upload files, log keystrokes, grab screenshots/camera captures, retrieve system passwords and run shell commands. QuasarRAT is a lightweight remote administration tool written in C#. We have not observed new QuasarRAT samples in the wild since late 2018, roughly coinciding with when the FBI indicted several members of the MenuPass group. We identified several distinct loader variants tailored to specific targets by leveraging machine learning (ML) to analyse our malware corpus. APT10/Stone Panda/Red Apollo) threat actor, and utilized an open-source backdoor named QuasarRAT to achieve persistence within an organization. The campaign seemed to be related to the MenuPass (a.k.a. You can reach out to us via Twitter/ Facebook or mail us at for advertising requests.During the latter half of 2018, BlackBerry Cylance threat researchers tracked a campaign targeting companies from several verticals across the EMEA region. Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, Twitter, and Reddit. It is clearly a geo-political warfare, and the intention is to cause hindrance to Taiwanese organizations and their operations. The details were gathered by C圜raft when one of the affected customers disclosed the case to the company.Ĭhina-based AP10 hackers and their new intrusion techniquesĪs per C圜raft, it was two separate cyberattacks on Taiwanese Financial Entities, and the hackers have used advanced obfuscation techniques that wasn’t seen earlier.Īnd considering the attack motive, digital footprints and the political situation between Taiwan and China, the objective doesn’t seem to be monetary benefits. With this RAT installed the hackers were able to remotely access the internal network and its systems using the reverse RDP tunnels. Once the scanning is done, the China-based AP10 organization used a unique technique called reflective code loading to run and execute malicious code on systems to install a version of Quasar RAT. The attackers then used a tool called Impacket and scanned the company’s network completely.
Quasar rat software#
The China-based APT10 hacking group exploited a vulnerability in security software solution (name of the product is yet to be revealed), and deployed a ASPXCSharp Web Shell. However, after some detailed investigation and analysis from C圜raft it is found that the credential stuffing attack carried out by APT10 was just a mask to cover their main objectives. The company first observed a credential stuffing attack in November 2021, where the hackers accessed some trading accounts and performed irregular mass transactions on the Hong Kong stock market.
Quasar rat Patch#
The C圜raft has marked the incident as ‘Operation Cache Panda’ and linked it to Chinese cyber-espionage group called the APT10 (a state-sponsored organization).Ĭ圜raft stated that they name of the product exploited by APT10 can’t be shared as there is a law enforcement investigation that is happening now and the vendor is working on a emergency patch to fix the situation across institutions.Ĭhina-based APT10 mask it with credential stuffing but infiltrate networks using RAT
The attacks on Taiwan is believed to have been started by November 2021 and was happening until this month as per C圜raft Report. A China-based AP10 hacking group that is supported by the Chinese government has carried out a cyberattack on Taiwan’s financial sector by exploiting a vulnerability in a security software which is used by 80 percent of local financial institutions.