The Quasar RAT, an open-source remote access trojan, has been observed employing a clever technique known as DLL side-loading to remain inconspicuous and discreetly extract data from compromised Windows systems.
This method capitalizes on the trust associated with certain files in the Windows environment. Uptycs researchers Tejaswini Sandapolla and Karthickkumar Kathiresan detailed this in a recent report. They highlighted the malware’s reliance on files such as ctfmon.exe and calc.exe as integral components of its attack process.
Also referred to as CinaRAT or Yggdrasil, the Quasar RAT is a remote administration tool based on C#. It possesses the ability to collect a range of information from a system, including system details, a list of currently running applications, files, keystrokes, screenshots, and the ability to execute arbitrary shell commands.
DLL side-loading is a technique frequently employed by threat actors to execute their own payloads. This is achieved by placing a spoofed DLL file, with a name that benign executables are known to seek, alongside the legitimate application.
MITRE, in its explanation of this attack method, notes that adversaries often employ side-loading to conceal their actions within legitimate, trusted, and potentially elevated system or software processes.
The attack’s starting point, as documented by Uptycs, is an ISO image file containing three files: a legitimate binary named ctfmon.exe, which is renamed as eBill-997358806.exe; a MsCtfMonitor.dll file, renamed as monitor.ini; and a malicious MsCtfMonitor.dll.
Upon running the binary file “eBill-997358806.exe,” it triggers the loading of a file masquerading as “MsCtfMonitor.dll” through DLL side-loading. Concealed within this is malicious code, with the researchers confirming the existence of another executable called “FileDownloader.exe.” This executable is injected into Regasm.exe, the Windows Assembly Registration Tool, to initiate the next stage, which involves launching an authentic calc.exe file that once again employs DLL side-loading to load the rogue Secure32.dll, ultimately leading to the final Quasar RAT payload.
The trojan, on its end, establishes connections with a remote server to transmit system information and even creates a reverse proxy for remote access to the compromised endpoint.
While the identity of the threat actor and the precise method of initial access used for this attack remain unclear, it is likely disseminated through phishing emails. Therefore, it is crucial for users to remain vigilant when dealing with suspicious emails, links, or attachments.
CyberSec84 | Cybersecurity news. 
Leave a comment