reckeron.blogg.se - Quasar rat

QUASAR RAT CODE

The remainder is sub-campaigns of Downeks samples, their infrastructure, their links – and a favored ISP (center) (Figure 5). As well as similarities in the code, decoys and targets, we also identified C2 infrastructure links between DustySky and this campaign. Left (yellow) is DustySky infrastructure (Figure 4) and the links to this Downeks campaign. In Figure 2, top-right (green) has the Quasar infrastructure (Figure 3), with a link to the Downeks infrastructure. The below chart (Figure 1) shows Quasar infrastructure (top), Downeks (bottom), and the shared IP link.Ĭharting the samples and infrastructure clearly shows the separate Downeks campaigns, and infrastructure links (Figure 2):įigure 2- Infrastructure Patterns and Connections However, we did find a single shared IP address demonstrably connecting the Downeks downloader and Quasar C2 infrastructure s. The Downeks downloader and Quasar C2 infrastructures are each self-contained and independent of each other. Most of them use the same mutex structure, share the same fake icon and unique metadata details, file writes, registry operations, and fake common program metadata, as seen in DustySky samples. All included decoy documents written in Arabic (all related to Middle Eastern politics) or Hebrew. SHA256: 9a8d73cb7069832b9523c55224ae4153ea529ecc50392fef59da5b5d1db1c740įurther research identified dozens of Dowenks and Quasar samples related to these attackers.

Additional Downeks downloaders connecting to the previously-observed server dw.downloadtestingcom were also found in this attack:.

Downeks makes a POST request to dw.downloadtestingcom, resulting in the installation of the Quasar RAT on the victim machine.

The initial dropper, upon execution, extracts an embedded Downeks instance:.

The initial dropper (which varies across attacks) is delivered to the victim via email or web:įile Name: Joint Ministerial Council between the GCC and the EU Council.exe”.

However, based upon the timeframe of subsequent telemetry we observe, we understand the attack chain as follows: We do not have detailed visibility into the specific host attacked, and have not been able to reproduce the second stage of the attack in our lab. A second Quasar sample was also observed attacking this new victim:

QUASAR RAT CODE

We found the same Quasar code in an additional attack on the same day, but upon a different target. SHA256: 723108103ccb4c166ad9cdff350de6a898489f1dac7eeab23c52cd48b9256a42įurther research found other Quasar examples, an attack earlier in the month 2016 on the same target: Unit 42 researchers observed the Quasar RAT being prevented from executing on a Traps-protected client in September 2016. The attackers invested significant effort in attempting to hide the tool by changing the source code of the RAT and the RAT server, and by using an obfuscator and packer.

It also drops decoy documents in an attempt to camouflage the attack. The initial infection vector in this attack is not clear, but it results in installing the “Downeks” downloader, which in turn infects the victim computer with the “Quasar” RAT.ĭowneks uses third party websites to determine the external IP of the victim machine, possibly to determine victim location with GeoIP. We also discovered during our research that the RAT Server used by this attacker is itself vulnerable to remote attack, a double-edged sword for these attackers. This report shares our researchers’ analysis of the attack and Remote Access Tool (RAT). DustySky is a campaign which others have attributed to the Gaza Cybergang group, a group that targets government interests in the region. Palo Alto Networks Traps Advanced Endpoint Protection recently prevented recent attacks that we believe are part of a campaign linked to DustySky.