Quasar is a publicly available open-source Remote Access Trojan (RAT) which primarily targets Windows OS systems. Quasar RAT is distributed via malicious attachments in phishing emails. This RAT is written in the C# programming language.
Quasar was developed by GitHub user MaxXor to be used for legitimate purposes. However, the RAT has been used by bad actors in cyber-espionage campaigns. Quasar RAT was first released in July 2014 as “xRAT 2.0.” and was later renamed as “Quasar” in August 2015.
The Remote Access Trojan uses two methods to achieve persistence - Scheduled tasks and Registry keys.
What are the capabilities of Quasar RAT?
Quasar RAT’s capabilities include:
DustSky campaign against governments
In January 2017, Palo Alto Networks observed Gaza threat actor group’s DustSky campaign targeting government institutions in the Middle East. The campaign installed the Downeks downloader, which in turn dropped the Quasar RAT on to victims’ computers.
Quasar RAT used in Ukraine
In January 2018, attackers targeted the Ukranian Ministry of Defense with the Quasar RAT and a custom malware dubbed VERMIN. The malware strains were distributed via decoy documents. The attack was aimed at stealing system information, usernames, keystrokes, and clipboard data.
Malware campaign drops Quasar RAT and NetWiredRC RAT
In February 2018, researchers observed a malware campaign that distributed the Quasar RAT and NetWiredRC RAT as final payloads via malicious RTF documents.
Attackers abuse RCE vulnerability to distribute Quasar RAT
A remote code execution vulnerability (tracked as CVE-2018-8373 ) with Internet Explorer’s scripting engine has been abused to distribute the Quasar RAT. This RCE vulnerability has been previously patched.
APT10 uses PlugX and Quasar RAT
In May 2019, researchers observed the Chinese cyber-espionage group APT10 using two loader variants and various payloads to launch attacks against government and private organizations in Southeast Asia.