Quasar, open-sourced RAT

Introduction

Managed Defense analysts were the first one to analyse a variant of Quasar RAT specific to threat group APT10 (Red Apollo), a Chinese cyber-espionage group.

Quasar RAT is a publicly available remote access trojan that is a fully functional .NET backdoor and freely available on Github.

Some of the malware’s capabilities include enumerating local drives and directories, downloading and uploading files to a remote server, collecting and exfiltrating sensitive system information, executing system commands, establishing a TCP proxy, and downloading and executing additional plugins for added capabilities.

I wasn’t able to find more information about it online on how it gets distributed but my guess is through phishing campaigns.

Behavioural Analysis

Before firing the sample on my VM, I quickly spinned an instance on Any Run and Intezer Analyser to gather as many information as possible.

Over the next 30 seconds after the execution, the sample creates an additional executable called WebMonitor.exe and adds its path to the registry Run key to achieve persistence.

Any Run process tree execution

The process creation is pretty simple and straight forward without any shenanigans.
We have some registry manipulation, WebMonitor.exe that points to the actual malicious executable, and killing max.bin.exe which should be process number 1948 at the time I’m executing it.

Process Tree

I’m also pretty sure that WebMonitor.exe will communicate with the C2 since there are some GET requests made to 2 different domains, one to get the IP of the victim and the other one to most likely establish a connection were the attacker could execute arbitrary commands.

Malware persistency through cmd.exe

We can see that also GrandSteal (even tho Microsoft labels it as Agent Tesla where you can find my analysis here)was used to steal personal data from the victim. An interesting and in-depth analysis can be found here.

All the stolen data appears to be originated from the browsers used by the victim.
I think that the reason behind this thing is that the users normally save all the credentials, cookies and sessions ID into their browser so, if the attacker could possibly steal access those data, they can use them in order to access the victim’s accounts.

Main executable overview

Still new to me the MITRE framework but it’s nice to have to quickly see what the sample can do.

MITRE framework

Three domains get contacted by the sample:

Domains contacted

And here is their IPs and ports they use to connect:

Network activity

195.2.75.10 should be the C2 that listens to port 2012:

C&C communication example

And finally, two GET requests: one to get the IP of the victim and the other one to communicate with the C2.

GET requests

Decompiling the dropper

This sample has different stages where different actions are being executed on the victim’s machine.
We’ll quickly take a look at what does the dropper do, what other processes it creates, how it achieves persistency and how it communicates with the C2.

Gathering information about Quasar

Since Quasar is an open source project, we can quickly try to analyse its main functionalities and even clone the code and execute it.

Here’s a list of all the functionalities Quasar has:

  • TCP network stream (IPv4 & IPv6 support)
  • Fast network serialisation (Protocol Buffers)
  • Compressed (QuickLZ) & Encrypted (TLS) communication
  • UPnP Support
  • Task Manager
  • File Manager
  • Startup Manager
  • Remote Desktop
  • Remote Shell
  • Remote Execution
  • System Information
  • Registry Editor
  • System Power Commands (Restart, Shutdown, Standby)
  • Keylogger (Unicode Support)
  • Reverse Proxy (SOCKS5)
  • Password Recovery (Common Browsers and FTP Clients)

After compiling and opening the application, a window pops up and shows all the infected machines that Quasar is controlling.

Quasar admin panel

In order to infect a machine, we need to create a client installer that has to be executed on the target’s machine.

By specifing all the mandatory parameters such as file name, connection, assembly settings, monitoring settings and additional installation settings, we then build a functional installer that, after being executed, will connect to our machine or our C2.

Building the executable that will connect the victim to the C&C

Dropper

This is what we get if we decompile the dropper without doing any sort of decoding:

Obfuscated .NET code

And here is the decompiled executable which has been encoded with DeepSea 4.1. Better but still confusing:

Deobfuscated code using de4dot.exe

While waiting for PEStudio to finish its scan, my jaw dropped after seeing how many resources this application has:

Resources

By looking at the strings PEStudio found, we can clearly see that it’s some sort of a stealing application looking for common services like Discord, Steam and Telegram.
Also worth nothing different .exe names and the string VirtualBox.

Executing the dropper will try to load an additional dll file (maybe from the resources above), creating a physical file on the disk named C:\Users\IEUser\AppData\Local\Temp\305ca9ce-05a7-4081-bcf5-b3110c43e68e\l.dll or in here C:\Users\IEUser\AppData\Local\Temp\d4577913-bed8-4f50-875e-10217b35ffda\AgileDotNetRT64.dll and finally, loading the library into memory.

Loading into memory another library

Everything is done through Delegation, a special type that represents references to methods with a particular parameter list and return type.
Delegates are used to pass methods as arguments to other methods, a common malware obfuscation technique used by malware writers to confuse the analysts.

Delegation example

After loading and decrypting each resource we saw above with a key, the executable will drop a new file called maxclip.exe into C:\Users\user\Documents\.

Decrypting method
New executable decoded and loaded

I wasn’t able to find exactly how it communicates with the C2 but I do know for sure that another executable called WpfCustomControlLibrary.dll gets dropped by maxclip.exe, containing methods likes decryptBytes, Decompress, TryInstall, RunPe1 and SetStartup.

No clue

At this point I’m getting really frustrated and decided to call it a day and end my adventure here since I “discovered” mostly everything that this sample had to offer.

All in all, it was a good learning experience even tho I need to better understand delegates and how to handle them in order to improve my analysing technique.

Artifacts & IOCs

Persistence

KeyValue
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunC:\Users\User\AppData\Local\WebMonitor.exe

max.exe

HashValue
MD56CBB886646CB8CDBCAF228623ED8FF2B
SHA1DF46AEEE5E2E37EFD5F6F24AEDB85B839D250FB4
SHA256EE72425B43AE65BDC3129F6401E1D19CB3C1C316E732C4AB1AE1121B10CF812F

WebMonitor.exe & maxclip.exe

HashValue
MD5E47F8E757EA9CD122B00DD363417AA5B
SHA2564B465A972FBA24E7AA5474C43374A8B3120AE61ED0E221B1487B9B9E235C4D97

Network

DomainIP
8dkxq2.hanashikoto.ru195.2.75.10:2012
f.tsuyogari.ru81.177.141.11:443

Just for testing purposes

Don’t mind at this paragraph, doing some tests

Leave a Reply

Your email address will not be published. Required fields are marked *