Article Details
Scrape Timestamp (UTC): 2023-10-23 08:02:11.098
Source: https://thehackernews.com/2023/10/quasar-rat-leverages-dll-side-loading.html
Original Article Text
Click to Toggle View
Quasar RAT Leverages DLL Side-Loading to Fly Under the Radar. The open-source remote access trojan known as Quasar RAT has been observed leveraging DLL side-loading to fly under the radar and stealthily siphon data from compromised Windows hosts. "This technique capitalizes on the inherent trust these files command within the Windows environment," Uptycs researchers Tejaswini Sandapolla and Karthickkumar Kathiresan said in a report published last week, detailing the malware's reliance on ctfmon.exe and calc.exe as part of the attack chain. Also known by the names CinaRAT or Yggdrasil, Quasar RAT is a C#-based remote administration tool capable of gathering system information, a list of running applications, files, keystrokes, screenshots, and executing arbitrary shell commands. DLL side-loading is a popular technique adopted by many threat actors to execute their own payloads by planting a spoofed DLL file with a name that a benign executable is known to be looking for. "Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process," MITRE notes in its explanation of the attack method. The starting point of the attack documented by Uptycs is an ISO image file that contains three files: A legitimate binary named ctfmon.exe that's renamed as eBill-997358806.exe, a MsCtfMonitor.dll file that's renamed as monitor.ini, and a malicious MsCtfMonitor.dll. "When the binary file 'eBill-997358806.exe' is run, it initiates the loading of a file titled 'MsCtfMonitor.dll' (name masqueraded) via DLL side-loading technique, within which malicious code is concealed," the researchers said. The hidden code is another executable "FileDownloader.exe" that's injected into Regasm.exe, the Windows Assembly Registration Tool, in order to launch the next stage, an authentic calc.exe file that loads the rogue Secure32.dll again through DLL side-loading and launch the final Quasar RAT payload. The trojan, for its part, establishes connections with a remote server to send system information and even sets up a reverse proxy for remote access to the endpoint. The identity of the threat actor and the exact initial access vector used to pull off the attack is unclear, but it's likely to be disseminated by means of phishing emails, making it imperative that users be on the guard for dubious emails, links, or attachments.
Daily Brief Summary
Quasar RAT, an open-source remote access trojan, has been using DLL side-loading to covertly extract data from compromised Windows servers. This technique relies on the inbuilt trust these files have within the Windows environment.
Also known as CinaRAT or Yggdrasil, Quasar RAT is a remote administration tool capable of collecting system data, a list of active applications, files, keystrokes, screenshots, and executing arbitrary shell commands.
DLL side-loading is frequently used by threat actors to execute their payloads by planting a spoofed DLL file with a name that a benign executable is known to be searching for.
The attack starts with an ISO image file that contains three files: a legitimate binary file renamed, a MsCtfMonitor.dll file renamed, and a malicious MsCtfMonitor.dll.
A hidden code initiates the loading of a file titled 'MsCtfMonitor.dll' with concealed malicious code. The trojan establishes connections with a remote server to forward system data and sets up a reverse proxy for remote access to the endpoint.
The identity of the threat actor and the exact initial access vector used to pull off the attack is unclear; however, it's likely to be disseminated by phishing emails, emphasizing the need for users to be cautious of suspicious emails, links, or attachments.