Quasar

Quasar is a remote access trojan (RAT) that allows attackers to control infected machines remotely. Written in .NET it’s an open source project for Microsoft Windows operating systems so it’s a popular tool in many attacks.

Key Insights

Quasar RAT has many capabilities that makes it a versatile tool for attackers. Keylogging, password stealing, screenshot, reverse proxy, file download and upload. Open source so you can customize it to fit your target or campaign.

Distribution Methods

Quasar is distributed through malicious spam emails (malspam) with infected attachments or links. Attackers also exploit publicly disclosed vulnerabilities to deploy Quasar as a secondary payload after initial compromise. Its open source nature has made it popular among many threat actors from novice hackers to APT groups.

Evasion Techniques

Quasar RAT can be packed or obfuscated to evade detection. Some attackers use DLL sideloading to run Quasar making detection harder. It can operate stealthily in the infected system to maintain persistence and prolonged unauthorized access.

Known Variants

Quasar RAT has many variants and derivatives due to its open source nature. CinaRAT and Yggdrasil are two examples of modified Quasar with additional features or to evade detection. These variants keep the core of Quasar and add custom modifications to fit the threat actor’s requirements.

Mitigation Strategies

Limit the use of remote administration tools and log all remote access sessions.
Monitor outbound traffic for unusual connections to known malicious IP.
Configure EDR to detect remote access tools and unusual system activity.
Block malspam campaigns that distribute Quasar RAT.

Targeted Industries or Sectors

Quasar is used in attacks against government, energy and education. Its remote access capabilities makes it suitable for espionage and data exfiltration activities especially in industries where data is valuable. For example APT10 also known as Stone Panda used Quasar in their campaign against government entities.

Associated Threat Actors

Quasar RAT is used by multiple threat actors including APT groups. APT10 (Stone Panda) used Quasar in their cyber espionage campaign. Its open source nature has also made it accessible to many cybercriminals from novice hackers to organized groups.