Quasar RAT installed by new phishing campaign

News by Rene Millman

Malware deploys anti-analysis methods to install remote access tool by stuffing the message with so many strings of rubbish that attempts to decode them would likely cause a crash.

Security researchers have discovered a new phishing campaign that uses multiple anti-analysis methods to deliver Quasar Remote Access Tool (RAT).

According to a blog post by Cofense, A phishing email poses as a job seeker and uses the unsophisticated ploy of an attached resume to deliver the malware. Quasar RAT is freely available as an open-source tool on public repositories and provides a number of capabilities.

Researchers said that organisations have difficulties with ‘.doc’ file attachments distributing Quasar RAT itself, because the document employs a multitude of measures to deter detection. They said that such methods include password protection—which is a built-in feature of Microsoft Word—and encoded macros.

The RAT itself can open remote desktop connections, log keystrokes, steal passwords, can screenshots, and record webcam footage.

The current campaign delivers the RAT with a password-protected document. When the victim types in the "123" password included in the phishing message, the document asks for macros to be enabled. The macros contain more than 1200 lines of garbage code that appears to be base64 encoded.

"Forcing the script to attempt to decode the garbage strings causes, in all likelihood, a crash due to the magnitude of decoding required," said researchers.

"If those strings are not decoded or the process decoding them has enough resources allocated, the resulting content still lacks the all-important payload URL," said researchers. "Instead, partial strings and filler text give some semblance of legitimacy."

Criminals hid payload URLs within the metadata of embedded images and objects.

"If the macro is successfully run, it will display a series of images claiming to be loading content while repeatedly adding a garbage string to the document contents. It will then show an error message while downloading and running a malicious executable in the background," said researchers.

The hackers then avoid discovery by downloading a Microsoft Self Extracting executable that unpacks a Quasar RAT binary. At 401MB, the file makes it hard for automated platforms that attempt to statically analyse the content, said researchers.

Ian Pratt, CTO and founder of Bromium, told SC Media UK that businesses simply can’t continue to put the onus of security on users and expect them to spot these phishing emails. Instead, organisations must invest in the right technology to develop layered cyber-security defences.

"Email gateways, detection sandboxes and AV or EDR can help, but to really tackle the problem of threats targeting users, application isolation technology needs to be deployed to the endpoint so that it really doesn't matter if a user clicks on something bad, the threat is fully contained," he said.

Steven Peake, pre-sales engineer at Barracuda Networks, told SC Media UK that while international law enforcement agencies continue their work to stop these criminals, individuals have to do everything possible to avoid being a victim.

"As always, be very careful when clicking on links or attachments in an email, even if you know the sender. Secondly, for links in particular, it’s always safer to open a browser and type in the address link. Finally, never use the same password for multiple accounts. This prevents a successful attack from exposing more than one set of credentials," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews