S0262 QuasarRAT
QuasarRAT is an open-source, remote access tool that is publicly available on GitHub. QuasarRAT is developed in the C# language. 3 4
| Item | Value |
|---|---|
| ID | S0262 |
| Associated Names | xRAT |
| Type | TOOL |
| Version | 1.3 |
| Created | 17 October 2018 |
| Last Modified | 06 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| xRAT | 21 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | QuasarRAT can launch a remote shell to execute commands on the victim’s machine.3 |
| enterprise | T1555 | Credentials from Password Stores | QuasarRAT can obtain passwords from common FTP clients.34 |
| enterprise | T1555.003 | Credentials from Web Browsers | QuasarRAT can obtain passwords from common web browsers.34 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | QuasarRAT uses AES to encrypt network communication.34 |
| enterprise | T1105 | Ingress Tool Transfer | QuasarRAT can download files to the victim’s machine and execute them.34 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | QuasarRAT has a built-in keylogger.34 |
| enterprise | T1112 | Modify Registry | QuasarRAT has a command to edit the Registry on the victim’s machine.3 |
| enterprise | T1090 | Proxy | QuasarRAT can communicate over a reverse proxy using SOCKS5.34 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.001 | Remote Desktop Protocol | QuasarRAT has a module for performing remote desktop access.34 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | QuasarRAT contains a .NET wrapper DLL for creating and managing scheduled tasks for maintaining persistence upon reboot.4 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | A QuasarRAT .dll file is digitally signed by a certificate from AirVPN.4 |
| enterprise | T1082 | System Information Discovery | QuasarRAT has a command to gather system information from the victim’s machine.3 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.001 | Credentials In Files | QuasarRAT can obtain passwords from FTP clients.34 |
| enterprise | T1125 | Video Capture | QuasarRAT can perform webcam viewing.34 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0078 | Gorgon Group | 5 |
| G0140 | LazyScripter | 6 |
| G0040 | Patchwork | 24 |
| G0045 | menuPass | 781 |
| G0135 | BackdoorDiplomacy | 9 |
References
-
GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021. ↩↩
-
Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. ↩↩
-
MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018. ↩
-
Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. ↩
-
United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019. ↩
-
Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020. ↩
-
Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 ↩