S0262 QuasarRAT
QuasarRAT is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. QuasarRAT is developed in the C# language.34
| Item | Value |
|---|---|
| ID | S0262 |
| Associated Names | xRAT |
| Type | TOOL |
| Version | 2.0 |
| Created | 17 October 2018 |
| Last Modified | 02 August 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| xRAT | 21 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | |
| QuasarRAT can generate a UAC pop-up Window to prompt the target user to run a command as the administrator.5 | |||
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | If the QuasarRAT client process does not have administrator privileges it will add a registry key to HKCU\Software\Microsoft\Windows\CurrentVersion\Run for persistence.35 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | QuasarRAT can launch a remote shell to execute commands on the victim’s machine.35 |
| enterprise | T1555 | Credentials from Password Stores | QuasarRAT can obtain passwords from common FTP clients.34 |
| enterprise | T1555.003 | Credentials from Web Browsers | QuasarRAT can obtain passwords from common web browsers.34 |
| enterprise | T1005 | Data from Local System | QuasarRAT can retrieve files from compromised client machines.5 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | QuasarRAT uses AES with a hardcoded pre-shared key to encrypt network communication.345 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | |
| QuasarRAT has the ability to set file attributes to “hidden” to hide files from the compromised user’s view in Windows File Explorer.5 | |||
| enterprise | T1564.003 | Hidden Window | QuasarRAT can hide process windows and make web requests invisible to the compromised user. Requests marked as invisible have been sent with user-agent string Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A though QuasarRAT can only be run on Windows systems.5 |
| enterprise | T1105 | Ingress Tool Transfer | QuasarRAT can download files to the victim’s machine and execute them.34 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | QuasarRAT has a built-in keylogger.34 |
| enterprise | T1112 | Modify Registry | QuasarRAT has a command to edit the Registry on the victim’s machine.35 |
| enterprise | T1095 | Non-Application Layer Protocol | QuasarRAT can use TCP for C2 communication.5 |
| enterprise | T1571 | Non-Standard Port | QuasarRAT can use port 4782 on the compromised host for TCP callbacks.5 |
| enterprise | T1090 | Proxy | QuasarRAT can communicate over a reverse proxy using SOCKS5.34 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.001 | Remote Desktop Protocol | QuasarRAT has a module for performing remote desktop access.34 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | QuasarRAT contains a .NET wrapper DLL for creating and managing scheduled tasks for maintaining persistence upon reboot.45 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | A QuasarRAT .dll file is digitally signed by a certificate from AirVPN.4 |
| enterprise | T1082 | System Information Discovery | QuasarRAT can gather system information from the victim’s machine including the OS type.3 |
| enterprise | T1614 | System Location Discovery | QuasarRAT can determine the country a victim host is located in.5 |
| enterprise | T1016 | System Network Configuration Discovery | QuasarRAT has the ability to enumerate the Wide Area Network (WAN) IP through requests to ip-api[.]com, freegeoip[.]net, or api[.]ipify[.]org observed with user-agent string Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0.5 |
| enterprise | T1033 | System Owner/User Discovery | QuasarRAT can enumerate the username and account type.5 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.001 | Credentials In Files | QuasarRAT can obtain passwords from FTP clients.34 |
| enterprise | T1125 | Video Capture | QuasarRAT can perform webcam viewing.34 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0078 | Gorgon Group | 6 |
| G0135 | BackdoorDiplomacy | 7 |
| G0040 | Patchwork | 24 |
| G0140 | LazyScripter | 8 |
| G0045 | menuPass | 9101 |
References
-
GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021. ↩↩
-
Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. ↩↩
-
MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018. ↩
-
Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 ↩
-
Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. ↩
-
United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019. ↩
-
Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020. ↩