Threat Research

QuasarRAT’s Dual DLL Sideloading Technique

Securonix

QuasarRAT employs a novel dual DLL sideloading technique using two trusted Microsoft processes, ctfmon.exe and calc.exe, to stealthily deploy payloads and evade detection. The analysis covers the two-phase execution flow, resource encryption/decryption, memory injections, persistence, and C2 communications that enable keylogging, file transfer, and remote control. #QuasarRAT #CinaRAT #Yggdrasil #ctfmon #calc #MsCtfMonitor #RegAsm

Keypoints

  • QuasarRAT uses a two-stage DLL sideloading technique leveraging trusted Microsoft executables (ctfmon.exe and calc.exe) to load malicious payloads.
  • The attack sequence includes a stage 1 payload that releases both the legitimate calc.exe and a malicious DLL, enabling the next phase.

MITRE Techniques

  • [T1574.001] DLL Side-Loading – The threat actor begins by employing DLL side-loading techniques. “The threat actor begins by employing DLL side-loading techniques. Interestingly, they opted for two distinct Microsoft files for their attack: “ctfmon.exe” and “calc.exe.”‘
  • [T1055.012] Process Hollowing – “With the “QuasarRAT” payload now residing in the computer’s memory, the payload employs a technique known as ‘process hollowing.’ Here, it embeds itself into a legitimate system process, further camouflaging its malicious intentions and making detection more challenging.”
  • [T1055] Process Injection – “The PE File is then injected into Regasm.exe by the following sequence of API : CreateProcess, GetThreadContext, ReadProcessMemory, VirtualAllocEx and WriteProcessMemory, GetThreadContext, SetThreadContext and ResumeThread.”
  • [T1027] Obfuscated/Compressed Files and Information – “To decrypt the data, the key size is F2 hex bytes and Systemfunction032 API is used to decrypt the encrypted data… to decrypt data by RC4 where the key is also stored in .rsrc section (RCDATA: 401)”
  • [T1547.001] Registry Run Keys/Startup Folder – “The RAT creates a persistent entry within the Windows registry. HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunWindowsCalculator “c:UsersPublicPicturesCalc.exe /quit””
  • [T1071] Command and Control – “The RAT creates a socket connection to CNC (3[.]94[.]91[.]208 >> ec2-3-94-91-208[.]compute-1[.]amazonaws.com) where it sends the victim’s info such as IP, Country code etc.”
  • [T1113] Screen Capture – “Quasar RAT capabilities include Keylogging, stealing passwords, taking screenshots, reverse proxy, Downloading and uploading files etc.”
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – “a restart batch file in the %Temp% directory which is executed and runs chcp 65001 && ping -n 10 localhost.”‘
  • [T1047] Windows Management Instrumentation – “strings related to Quasar RAT such as Quasar Server … and WMI class … AntivirusProduct”
  • [T1090] Proxy – “Reverse proxy functionalities”

Indicators of Compromise

  • [File Name] context – eBill-997358806.exe, Calc.exe, monitor.ini, MsCtfMonitor.dll, FileDownloader.exe, Secure32.dll, Winsecu32.dll, Final Payload/Remotify Client
  • [MD5] context – B625C18E177D5BEB5A6F6432CCF46FB3, 32DE5C2E0BA35CEAC3C515FA767E42BF, 7074832F0EFB8A2130B1935EAE5A90D6, B0DB6ADA5B81E42AADB82032CBC5FD60, d07e4afd8f26f3e2ce4560e08b7278fb, f11c63cb70a726f1f0b6accd5934e83, 532AF2DB4C10352B2199724D528F535F
  • [IP] context – 3.94.91.208
  • [Domain] context – ec2-3-94-91-208.compute-1.amazonaws.com
  • [URL] context – https://www.uptycs.com/blog/quasar-rat

Read more: https://www.uptycs.com/blog/quasar-rat

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint