CERT-AGID issued an alert about a large-scale malspam campaign distributing the Quasar RAT to Italian bank users, using official logos from the Ministry of the Interior to impersonate authorities. The operation targets users of specific Italian banks and relies on the same RAT variant (1.0.00.r6) with XOR-encoded strings, identified on August 16, 2024. #QuasarRAT #BlotchyQuasar #MinistryOfTheInterior #CERT-AGID #ItalianBanks
Keypoints
- CERT-AGID alerted to a large malspam campaign aimed at Italian bank users.
- The Quasar RAT is being distributed through deceptive emails.
- The attackers use official logos from the Ministry of the Interior to impersonate authorities.
- The active RAT version remains 1.0.00.r6 with unchanged C2 servers but modified download URLs.
- All strings in the malware are XOR-encoded, with the key embedded in the code.
- The campaign is focused on users of specific Italian banks and linked to BlotchyQuasar, a banking trojan derived from Quasar RAT.
- IoCs have been shared with accredited organizations via CERT-AGIDβs IoC Flow.
MITRE Techniques
- [T1003] Credential Dumping β The malware may attempt to gather credentials from the infected system. Quote: [βThe malware may attempt to gather credentials from the infected system.β]
- [T1219] Remote Access Tools β Utilizes Quasar RAT for remote access and control of infected systems. Quote: [βUtilizes Quasar RAT for remote access and control of infected systems.β]
- [T1566] Phishing β Employs deceptive emails to lure victims into executing the malware. Quote: [βEmploys deceptive emails to lure victims into executing the malware.β]
Indicators of Compromise
- [URL] IoCs β IoCs shared via CERT-AGIDβs IoC Flow: https://cert-agid.gov.it/wp-content/uploads/2024/08/BlotchyQuasar_19-08-2024.json, https://cert-agid.gov.it/scarica-il-modulo-accreditamento-feed-ioc/