Threat Research

Private HTS Program Used in Ongoing Attacks

Ahnlab

Quasar RAT continues to be distributed through a private HTS program named HPlus, now using an MSI installer and enabling remote assistance with AnyDesk. The infection chain downloads a malware payload via an FTP-based updater, installing StockProh.exe (launcher) and Socketmanager240714.exe (Quasar RAT), with warnings to avoid private HTS and to keep software up to date. Hashtags: #QuasarRAT #HPlus #AnyDesk #StockProh #Socketmanager240714

Keypoints

  • Quasar RAT is distributed via a private HTS program called HPlus, continuing a pattern observed in past campaigns.
  • The distribution method shifted from NSIS to MSI installers, and the campaign now supports remote assistance via AnyDesk.
  • During installation, Asset.exe reads config.ini and uses FTP to contact an updater server to fetch updates, delivering the actual malware.
  • The downloaded payload is a compressed file containing StockProh.exe (launcher) and Socketmanager240714.exe (Quasar RAT).
  • Historically, private HTS groups targeted victims’ investments; now they also take control of victims’ PCs and steal data.
  • Authorities warn against obtaining HTS through private channels and urge users to install HTS only from official sources and to keep software up to date (including V3).
  • Detected IOCs include multiple MD5 hashes and two C2 addresses, with specific file and behavior indicators noted by security researchers.

MITRE Techniques

  • [T1071.004] Application Layer Protocol: File Transfer Protocol – The updater uses FTP to fetch updates and retrieve the malware payload. [‘Asset.exe reads the “config.ini” file located in the same directory and connects to the updater server to perform updates using the FTP protocol.’]
  • [T1021] Remote Services – Remote assistance is facilitated via AnyDesk, executed when the “Remote Support” button is clicked. [‘AnyDesk that had been installed together is executed when the “Remote Support” button is clicked.’]
  • [T1105] Ingress Tool Transfer – The initial infection stage involves downloading a compressed file containing malware. [‘downloading a compressed file containing malware.’]
  • [T1055] Process Injection – Evidence of fileless injection is noted (‘Fileless/MDP.Inject.M4878’, ‘Fileless/MDP.Inject.M4876’).

Indicators of Compromise

  • [MD5] File hashes – 3F1B0FF74433EC2ACEDD93A5BFEF8E0C, 3E0963FC309A94F182A33037BEF8E44B, 32CB22B72A50F887805541C4AFAA34A5, 2652ADCC83237B04102CA1D47908FF6C, A439E91D29611FB87BE0CCE22AA4D442 (and 2 more hashes)
  • [IP] C2 servers – 43.201.97[.]239:24879, 103.136.199[.]131:56001

Read more: https://asec.ahnlab.com/en/67969/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint