QuasarRAT
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| xRAT | (Citation: TrendMicro Patchwork Dec 2017)(Citation: Securelist APT10 March 2021) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
QuasarRAT can generate a UAC pop-up Window to prompt the target user to run a command as the administrator.(Citation: CISA AR18-352A Quasar RAT December 2018) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
If the QuasarRAT client process does not have administrator privileges it will add a registry key to `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` for persistence.(Citation: GitHub QuasarRAT)(Citation: CISA AR18-352A Quasar RAT December 2018) |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
QuasarRAT can launch a remote shell to execute commands on the victim’s machine.(Citation: GitHub QuasarRAT)(Citation: CISA AR18-352A Quasar RAT December 2018) |
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
QuasarRAT can obtain passwords from common web browsers.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
QuasarRAT uses AES with a hardcoded pre-shared key to encrypt network communication.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018)(Citation: CISA AR18-352A Quasar RAT December 2018) |
| Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
QuasarRAT has the ability to set file attributes to "hidden" to hide files from the compromised user's view in Windows File Explorer.(Citation: CISA AR18-352A Quasar RAT December 2018) |
| .003 | Hide Artifacts: Hidden Window |
QuasarRAT can hide process windows and make web requests invisible to the compromised user. Requests marked as invisible have been sent with user-agent string `Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A` though QuasarRAT can only be run on Windows systems.(Citation: CISA AR18-352A Quasar RAT December 2018) |
||
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
QuasarRAT has a built-in keylogger.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018) |
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
QuasarRAT has a module for performing remote desktop access.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018) |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
QuasarRAT contains a .NET wrapper DLL for creating and managing scheduled tasks for maintaining persistence upon reboot.(Citation: Volexity Patchwork June 2018)(Citation: CISA AR18-352A Quasar RAT December 2018) |
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
A QuasarRAT .dll file is digitally signed by a certificate from AirVPN.(Citation: Volexity Patchwork June 2018) |
| Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
QuasarRAT can obtain passwords from FTP clients.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0040 | Patchwork |
(Citation: TrendMicro Patchwork Dec 2017) (Citation: Volexity Patchwork June 2018) |
| G0140 | LazyScripter |
(Citation: MalwareBytes LazyScripter Feb 2021) |
| G0078 | Gorgon Group |
(Citation: Unit 42 Gorgon Group Aug 2018) |
| G0045 | menuPass |
(Citation: DOJ APT10 Dec 2018) (Citation: Symantec Cicada November 2020) (Citation: Securelist APT10 March 2021) |
| G0135 | BackdoorDiplomacy |
(Citation: ESET BackdoorDiplomacy Jun 2021) |
References
- GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
- Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
- MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
- Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
- CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
- United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
- Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
- Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
- Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
- Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.