New phishing campaign uses fake resumes to distribute Quasar RAT
- A new phishing campaign distributes Quasar RAT onto Windows systems via password-protected fake resume documents.
- Quasar RAT is capable of opening remote desktop connections, keylogging, stealing credentials, taking screenshots, recording video from webcams, downloading or exfiltrating files, and managing processes on infected machines.
What is the issue?
Researchers from Cofense uncovered a new phishing campaign that distributes Quasar RAT onto Windows systems via fake resume attachments.
More details about the campaign
This phishing campaign employs multiple anti-analysis methods and counter-detection measures to camouflage the infection vectors.
- The phishing emails include malicious Microsoft Word document disguised as a password protected resume document.
- The email prompts the users to open the resume by entering the password ‘123.’
- Once the users enter the passwords, the fake resume document will ask the users to enable the macros in order to start the infection process.
- The macros come in the form of base64 encoded garbage code, which is designed to crash analysis tools.
- Once the macro is successfully run, it will display a series of images that claim to load the content.
- However, the images repeatedly add a garbage string to the document contents and then display an error message, while downloading and executing the Quasar RAT in the background.
“The last significant step the threat actors take to avoid discovery is to download a Microsoft Self Extracting executable. This executable then unpacks a Quasar RAT binary that is 401MB,” researchers said.
About the Quasar RAT
Quasar RAT is a remote administration tool that is capable of opening remote desktop connections, keylogging, stealing credentials, taking screenshots, recording video from webcams, downloading or exfiltrating files, and managing processes on infected machines.