Quasar RAT Exploits DLL Side-Loading for Covert Operations

The open-source Quasar RAT, a remote access trojan, has been observed employing DLL side-loading to operate covertly and extract data from compromised Windows systems. 

This tactic capitalizes on the trustworthiness of specific files in the Windows environment, ctfmon.exe, and calc.exe, as outlined in a recent report by Uptycs researchers.

More About Quasar RAT

Quasar RAT, also known as CinaRAT or Yggdrasil, is a C#–based remote administration tool with capabilities such as system information collection, monitoring running applications, file retrieval, keystroke logging, capturing screenshots, and executing arbitrary shell commands.

Tuga Stealer
256025ee342d7bb9694e5a8a9ef5c351
drops
-> rat.exe [Quasar RAT]
1C0B009BB35820B68328EE74F4213865
-> stealer[.]py 8D4D9FB92843C65CED3FC2A6A5C2368E
downloads python supporting files from files.catbox[.]moe#TugaStealer #Quasar #QuasarRAT #Stealer #IOC pic.twitter.com/6vwqqZG7uv

— Yogesh Londhe (@suyog41) March 23, 2023

What is DLL side-loading?

DLL side-loading is a prevalent method employed by various threat actors to execute their payloads by inserting a spoofed DLL file with a name that executables typically seek. 

This approach allows adversaries to mask their activities under legitimate, trusted, and potentially elevated system or software processes, as defined by MITRE.

Methodology to Execute

The attack commences with an ISO image file containing three components: 

• a genuine binary named ctfmon.exe, 
• renamed as “eBill-997358806.exe,” 
• a MsCtfMonitor.dll file rebranded as “monitor.ini,” and a malicious MsCtfMonitor.dll. 

When the binary “eBill-997358806.exe” is executed, it triggers the loading of “MsCtfMonitor.dll” (camouflaged name) using the DLL side-loading technique, concealing malicious code within. 

This hidden code is another executable, “FileDownloader.exe,” injected into Regasm.exe (the Windows Assembly Registration Tool) to initiate the subsequent phase, which involves an authentic calc.exe file loading the rogue Secure32.dll once more via DLL side-loading to introduce the final Quasar RAT payload.

The trojan then establishes connections with a remote server to transmit system information and configures a reverse proxy for remote access to the compromised endpoint.

Although the threat actor’s identity and the precise initial access vector used to execute the attack remain uncertain, it is likely that the dissemination occurs through phishing emails. 

Therefore, you must exercise caution when encountering suspicious emails, links, or attachments.

What More Could You Expect?

When such advanced tactics are persistently deployed, the results could be severe. Organizations and individuals would face an increased risk of data breaches, system compromises, and unauthorized access to critical assets. 

The potential fallout may involve substantial financial losses, reputational damage, and legal consequences.

It becomes crucial to bolster endpoint security, employ robust threat detection and response strategies, and continually update security protocols to cater to such insidious cyber intrusions.