ASEC’s analysis reveals Quasar RAT being distributed via a private Home Trading System (HTS) called HPlus, used by illicit investment groups to lure victims and install malware. The campaign shows HTS masquerading as legitimate investment services, delivering Quasar RAT that provides remote control, data theft, and credential access. #QuasarRAT #HPlus #HTS #AhnLab #ASEC
Keypoints
- Quasar RAT is being distributed through a private HTS named HPlus, not through institutional financial firms.
- Illegal investment groups use group chats and ads (e.g., Roh KakaoTalk) to recruit victims to install private HTS
- The installation uses NSIS installer HPlusSetup.exe with Asset.exe as launcher/updater, which reads config.ini for the update/C2 details.
- The update flow downloads NewVer.ver from an FTP/C2 server and replaces outdated versions to install Quasar RAT.
- StockProForHplus2.exe and related files inject Quasar RAT via HPlusSocketManager and may add Windows Defender exceptions as a defense-evasion step.
- Quasar RAT capabilities include remote control, file/registry operations, keylogging, account data collection, and remote desktop access.
MITRE Techniques
- [T1105] Ingress Tool Transfer – Asset.exe downloads the update file and installs it if outdated: “Asset.exe downloads the “NewVer.ver” file from the update server and compares it with the “LocalVer.ver” file in the same path to check if the file is outdated. If the file is outdated, it downloads the latest version set in the “NewVer.ver” as a compressed file and installs it to the same path.”
- [T1055] Process Injection – “HPlusSocketManager20221208.exe” launches “vbc.exe” and injects Quasar RAT. This makes it so that Quasar RAT runs on the memory of “vbc.exe” which is a normal process.
- [T1036] Masquerading – The private HTS used in these cases of fraud are made virtually indistinguishable from the HTS provided by stock firms in order to have users believe that normal transactions are being made.
- [T1021.001] Remote Desktop – Quasar RAT provides remote control capabilities via remote desktop as part of its features: “remote command execution and the ability to download and upload files” and real-time control over infected systems.
- [T1056.001] Keylogging – Quasar RAT provides keylogging and account information collection features to allow the theft of information from user environments.
- [T1562.001] Impair Defenses – Files contain a command to add an exception path to Windows Defender, aiding malware persistence and execution.
- [T1552.001] Credentials in Files – The FTP server’s account credentials are hard-coded into Asset.exe: “the respective locations of the C&C server address and the FTP server’s account credentials are also hard-coded into ‘Asset.exe’.”
- [T1059.005] Command and Scripting Interpreter: Visual Basic – “HPlusSocketManager20221208.exe” launches “vbc.exe” to run parts of Quasar RAT, indicating VB-based tooling usage.
Indicators of Compromise
- [IP/Domain] C2 and update server addresses – 103.136.199[.]131:4449 (Quasar RAT C2), 103.136.199[.]131:4782 (Quasar RAT), 103.136.199[.]131:24879 (FTP/update server).
- [MD5] File hashes – 56961c573c78681b98c8336679202ead: Installer (HPlusSetup.exe), a041b5708e8a0bf36b83312cbf3c94c9: Launcher (StockProForHplus.exe), b50c4b4958caba46760fccb02946966b: Launcher (StockProForHplus.exe), and 2 more hashes.
- [File] Executables involved – HPlusSetup.exe, StockProForHplus.exe, StockProForHplus2.exe (and related HTS components).
- [File] Quasar RAT components – HPlusSocketManager20221208.exe, Quasar RAT (hplussocketmanager.exe) and related launcher/executable pairs.
Read more: https://asec.ahnlab.com/en/47283/