Once running on a target host, the client process is visible to the target host user via Windows Task Manager or a similar process management program.This Analysis Report provides information on Quasars functions and features, along with recommendations for preventing and mitigating Quasar activity.Quasar is authored by GitHub user MaxXor and publicly hosted as a GitHub repository.While the tool can be used for legitimate purposes (e.g., an organizations helpdesk technician remotely accessing an employees laptop), the Cybersecurity and Infrastructure Security Agency (CISA), is aware of APT actors using Quasar for cybercrime and cyber espionage campaigns.
Quasar was first released in July 2014 as xRAT 2.0. In August 2015, xRAT was renamed Quasar and released as v1.0.0.0. For this report, the National Cybersecurity and Communications Integration Center (NCCIC), part of CISA, analyzed Quasar version 1.3.0.0, which was released on September 28, 2016, and is the latest stable version available on GitHub. ![]() ![]() NCCIC has not determined the exact difference between these versions and v1.3.0.0. Therefore, NCCIC cannot definitively say whether the detection and mitigation recommendations provided in this report will work effectively against APT actor-modified versions of Quasar. High Level Architecture Quasar uses a client-server architecture that enables one user to remotely access many clients. The server is responsible for creating client binaries and managing client connections. Users then interact with connected clients through the servers graphical user interface (GUI). Note: Quasar does not contain software vulnerability exploits. Threat actors must leverage other tools or methods to gain access to a target host before they can use Quasar. Requirements Quasar requires a Microsoft.NET Framework 4.0 (or higher) Client Profile. Quasar users interact with the server and, in turn, its clients, through the GUI. Each clients entry is listed individually and includes the clients Internet Protocol (IP) address, username, Quasar client version, connection status, user status, country, OS, and account type. The Quasar user initiates client interactions by right-clicking an individual client row, which opens a pop-up menu with available commands. Figure 1: Quasar screenshot example of a Quasar server with a connected client The server component builds client executables that the Quasar user can run on target hosts. The client builder feature allows the Quasar user to select from different options and attributes (see table 1). Table 1: Quasar client builder feature options and attributes Option Default Option Description Basic Settings Client tag None Represents the name for the client instance. This value is displayed in the connection table (see figure 1) of the Quasar server GUI once the client connects Mutex QSRMUTEX18 character alphanumeric upper and lowercase string Sets the file mutual exclusion object (mutex) to prevent the same host being infected multiple times Connection Settings Callback IP None Sets the server IP for the client connection Callback domain None Sets the domain for the client connection Callback port 4782 Sets the Transmission Control Protocol (TCP) port callback to on Password 1234 Sets the password for Advanced Encryption Standard (AES) encryption Connection retry 300ms Sets how often the client will attempt to callback if they are not connected Installation Settings Install client Off Sets the default for whether or not the client will install on a host Base installation paths AppData Program Files WindowsSysWOW64 The location where the client file will be installed on a host. Starred items () require administrator privileges Install subdirectory SubDir Makes a customizable subdirectory within the base installation path Install name Client The name of the client file. Best Rat Github Free Text FieldThis file must be.exe Run client when the computer starts Off A checkbox that, if checked, will add the Quasar client as an AutoRun via Registry Key or Scheduled Task Startup name Quasar Client Startup Customizable free text field The Quasar user can also set metadata to be embedded in the executable, such as the author, organization, copyright, year, and version. Quasar Client Quasar client instances are built by the server component. Based on multiple client builds, each with different configurations, the client size is consistently 349KB. Once it is distributed to a target host, the client needs to be executed before it can call back to the server. Client execution is invisible to the target host user and does not generate any visible windows or notifications on the target host, except in cases where the client becomes unresponsive.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |