Keypoints
- Quasar, an open-source RAT, is being abused by attackers using DLL sideloading and default configurations to evade signature-based detections.
- Darktrace DETECT identified initial infection via suspicious downloads (e.g., Eppzjtedzmk.exe) and uncommon user agents like Xmlst linked to Raccoon Stealer activity.
- C2 communications were observed to rare IPs (notably 193.142.146[.]212) using port 4782, self-signed certificates with subject/issuer “CN=Quasar Server CA”, and encrypted SSL traffic without SNI.
- Shared and reused malicious infrastructure showed interoperability with other malware (AsyncRAT, RedLineStealer) and dynamic DNS services (e.g., bittorrents[.]duckdns[.]org, zayprostofyrim[.]zapto[.]org).
- Post-compromise activity included BitTorrent use, cryptomining (162.19.139[.]184), and small data uploads consistent with exfiltration.
- Darktrace RESPOND provided mitigations: advisories to block IPs/ports, enforce device normal behavior (“pattern of life”), firewall integration to block connections, and full outbound-blocking/TCP resets when autonomous.
- Anomaly-based detection is emphasized as critical because Quasar variants can change IoCs and TTPs while still producing behavioral deviations detectable without prior signatures.
MITRE Techniques
- [T1090.002] External Proxy – Use of external proxying or intermediary services for communication; (‘Compromise / Beaconing Activity To External Rare’).
- [T1071.001] Web Protocols – C2 over web protocols using encrypted SSL channels; (‘Quasar infections … encrypted SSL connections for command-and control (C2) communication’).
- [T1571] Non-Standard Port – Use of unusual ports for SSL C2 traffic, specifically port 4782; (‘usage of an unusual port not typically associated with the SSL protocol, 4782’).
- [T1001] Data Obfuscation – Encrypted or obfuscated C2 communications and uploads to hide content; (‘Darktrace analyzed the meta-properties of these SSL connections without needing to decrypt the content’).
- [T1573] Encrypted Channel – Use of self-signed SSL certificates to establish encrypted C2 channels; (‘a certificate subject and issuer of “CN=Quasar Server CA”, which is also the default self-signed certificate compiled by Quasar’).
- [T1071] Application Layer Protocol – Application-layer protocols used for C2 traffic and beaconing; (‘Possible HTTP Command and Control’ and ‘Application Protocol on Uncommon Port’).
- [T1584] Compromise Infrastructure – Reuse and sharing of malicious infrastructure and dynamic DNS endpoints across actors; (‘sharing of malicious infrastructure among threat actors is also evident’).
Indicators of Compromise
- [IP:Port] Quasar C2 endpoints – 193.142.146[.]212:4782, 77.34.128[.]25:8080 (and several other ports on 193.142.146[.]212 associated with different malware).
- [Domain] Dynamic DNS and botnet endpoints – zayprostofyrim[.]zapto[.]org, bittorrents[.]duckdns[.]org.
- [Certificate] SSL certificate identifier – CN=Quasar Server CA (default self-signed certificate used by Quasar C2).
- [Executable] Malicious payload filename – Eppzjtedzmk[.]exe (identified as a likely Quasar payload).
- [IP] Additional malicious/related IPs – 162.19.139[.]184 (cryptomining endpoint), 95.214.24[.]244 (Quasar-associated IP).
Quasar compromises observed by Darktrace followed a reproducible technical sequence: initial delivery of Quasar payloads (often via DLL sideloading) using suspicious downloads and user agents (e.g., Xmlst), execution of payloads like Eppzjtedzmk.exe, and establishment of encrypted C2 channels over non-standard SSL ports. Attackers commonly used self-signed certificates labeled “CN=Quasar Server CA” and C2 endpoints such as 193.142.146[.]212:4782 or dynamic DNS names (bittorrents[.]duckdns[.]org, zayprostofyrim[.]zapto[.]org), and infrastructure overlaps tied these endpoints to other malware families (AsyncRAT, RedLineStealer) and commodity tools (Raccoon Stealer, Minergate cryptominer).
Detection relied on anomaly-based telemetry rather than signature matching: Darktrace analyzed SSL meta-properties (unusual ports, self-signed certs, SSL without SNI) and flagged rare external connections, multiple suspicious downloads, and beaconing patterns. These behavioral signals allowed DETECT to identify different kill-chain stages—initial download, C2 establishment, and data uploads—even when payloads used encryption or sideloading to evade traditional detections.
For containment, RESPOND recommended and (when autonomous) executed targeted mitigations: block specific IP:port combinations, enforce a device “pattern of life” to restrict connections to normal behavior, trigger firewall blocklists and TCP resets, and finally isolate devices by blocking all outbound connections if suspicious activity persisted. These automated, staged responses curtailed C2 traffic, prevented further downloads, and limited exfiltration and secondary malicious activity such as cryptomining or torrenting.