Quasar RAT Leverages DLL Side-Loading to Fly Under the Radar

Quasar RAT Leverages DLL Side-Loading to Fly Under the Radar

October 23, 2023 at 02:09PM

The Quasar RAT malware is using DLL side-loading to steal data from compromised Windows hosts. The malware disguises itself as legitimate files, such as ctfmon.exe and calc.exe, to avoid detection. It can gather system information, execute commands, and establish remote access. The attack vector is likely phishing emails. Stay vigilant against suspicious emails, links, or attachments.

Meeting Notes – Oct 23, 2023

Topic: Newsroom Cyberattack / Malware

During the meeting, the team discussed a recent cyberattack involving a malware known as Quasar RAT. This malware has been observed using DLL side-loading techniques to evade detection and extract data from compromised Windows hosts. The attackers take advantage of the trust placed in certain Windows files, such as ctfmon.exe and calc.exe. Quasar RAT, also referred to as CinaRAT or Yggdrasil, is a remote administration tool written in C# that can collect system information, list running applications, gather files, capture keystrokes and screenshots, and execute shell commands.

DLL side-loading is a commonly used technique by threat actors to execute their payloads by inserting a malicious DLL file with a name that a legitimate executable is looking for. This allows the attackers to camouflage their actions under trusted and potentially elevated system or software processes.

The attack starts with an ISO image file that contains three files: a legitimate binary called ctfmon.exe (renamed as eBill-997358806.exe), a DLL file named MsCtfMonitor.dll (renamed as monitor.ini), and a malicious MsCtfMonitor.dll. When the renamed binary file, “eBill-997358806.exe,” is executed, it loads the disguised DLL file “MsCtfMonitor.dll” using DLL side-loading, which contains hidden malicious code. The hidden code injects an executable called “FileDownloader.exe” into Regasm.exe (Windows Assembly Registration Tool) to proceed to the next stage. In this stage, an authentic calc.exe file loads the rogue Secure32.dll again through DLL side-loading, ultimately deploying the final Quasar RAT payload.

The Quasar RAT establishes connections with a remote server to send system information and enables remote access to the compromised endpoint through a reverse proxy.

Although the identity of the threat actor and the specific initial access method used in the attack are unclear, it is likely that the malware is distributed through phishing emails. Therefore, it is crucial for users to remain vigilant and cautious when dealing with suspicious emails, links, or attachments.

If you find this article interesting, you can follow us on Twitter and LinkedIn for more exclusive content.

Full Article