Quasar RAT which is a publicly available Remote Access Trojan (RAT) primarily targets the Windows Operating System. It uses two methods such as Scheduled tasks and Registry keys to achieving persistence. It is distributed via the phishing mails which have the malicious attachments. Quasar is written in C# programming language.
Quasar RAT was developed by MaxXor, a GitHub Repository user to be used for legitimate purposes.It’s development started in July 2014 and originally it was known as xRAT with the release of the version 18.104.22.168 in August 2015, its name changed to Quasar RAT.
It supports a wide range of Windows OS including Windows XP, Windows Server, Windows 7,8/8.1. Its code had been licensed by an MIT License which allows for the free distribution, modification commercialization and private use of the RAT. Since it’s development has started the project has undergone heavy development and it had been forked around 900 times.
A Quasar is an important tool and useful for a number of purposes such as supporting the user, day-to-day administrative work and employee monitoring since it has ‘high stability and easy to use interface’. It has a number of interesting features which are growing day-by-day.
WHAT CAN QUASAR RAT DO?
- Managing Files (Downloading, Uploading, Retrieving)
- Terminating and Killing Processes
- Capturing Screenshots
- Recording Webcam
- Reversing Proxy
- Editing Registry
- Compression and Encryption Of Communication
- Executing Computer Related Commands (Restart, Shutdown, Standby)
- Spying (on user’s actions)
- Keylogging(Unicode Support )
- Stealing passwords (Common Browsers and FTP Clients )
- To open a remote desktop connection
- As a Startup Manager
- Remote Shell
For legitimate purposes, it is a great tool and can be used for numerous administrative day-to-day work. However, since it is an open-source tool, the attackers can use it in the wrong way.
- Palo Alto Networks published a report in January 2017 in which it was mentioned that Quasar RAT was delivered using Downeks downloader in an attack by the Gaza Cyber gang which happened in September 2016. The attack is known as ‘DuskSky’.
- PWC published a report on April 2017, which gave a detailed report of the various activities of the Chinese based attacker APTio Researchers stated that the tools were renewed incorporating open source tools, Quasar RAT among them. He has been using RAT since then.
- Trend Micro reported in December 2017 about an espionage group known as Patchwork or Dropping Elephant who targets government agencies using Quasar RAT as payload. It was delivered via Drive-By download attack.
- Apart from Quasar, there are dozens of <a href=”https://hackingblogs.com/keyloggers/”> RATs</a> which are being developed and are free to download such as AsyncRAT, microRAT, PowershellRAT, Lime-Controller, and pupyRAT.
Quasar is not the first or Last Remote Access Tool. In one of the reports from <a href=”https://www.us-cert.gov/”>US-CERT</a>, it is mentioned that “Quasar is a legitimate Tool which is misused by attackers for cyber-crime and cyber-espionage.” We can expect the continuation of the malicious use of Quasar in the future.