A recent research report by Uptycs has highlighted the evolution of QuasarRAT, an open-source remote administration tool (RAT) known for its lightweight nature and range of malicious functions.
According to an advisory published on Friday by Uptycs security researcher Tejaswini Sandapolla, the C#-based tool, also referred to as CinaRAT or Yggdrasil, has been discovered employing a sophisticated technique called DLL side-loading, which exploits trusted Microsoft files to execute malicious activities.
This technique capitalizes on the inherent trust these files command within the Windows environment, making it a significant threat in the cybersecurity landscape. QuasarRAT has reportedly been openly accessible on GitHub, posing a risk to Windows users, system administrators and cybersecurity professionals.
“Such tactics are not new, but seeing them evolve and get adopted by other malware strains shows the adaptability of threat actors,” Sandapolla wrote. In fact, the attackers utilize specific trusted Microsoft files to perform this attack.
In the initial phase, QuasarRAT employs the authentic “ctfmon.exe” to load a malicious DLL, discreetly disguising its intentions. This action sets the stage for the attacker to obtain a ‘stage 1’ payload, acting as a gateway for subsequent malicious activities. The stage 1 payload then plays a dual role by releasing both the legitimate “calc.exe” file and the malevolent DLL into the system.
The attacker leverages “calc.exe,” which is not just a simple calculator application in this context. When executed, it triggers the malicious DLL, leading to the infiltration of the “QuasarRAT” payload into the computer’s memory.
Finally, within the computer’s memory, the payload employs “process hollowing” to embed itself into a legitimate system process, further concealing its malicious intentions and complicating detection.
To protect against QuasarRAT and its new capabilities, Uptycs highlighted the importance of maintaining up-to-date software and vigilant email practices, as well as implementing advanced security solutions and training individuals to recognize suspicious activities. Collaboration with cybersecurity experts and information sharing within the industry are also emphasized to stay informed about evolving threats.