Rewterz Threat Alert – AsyncRAT – Active IOCs
October 29, 2023Rewterz Threat Advisory – CVE-2023-5363 – OpenSSL Vulnerability
October 29, 2023Rewterz Threat Alert – AsyncRAT – Active IOCs
October 29, 2023Rewterz Threat Advisory – CVE-2023-5363 – OpenSSL Vulnerability
October 29, 2023Severity
Medium
Analysis Summary
Quasar RAT is an open-source remote access trojan that has been recently discovered using DLL side-loading to stealthily steal data from infected Windows computers. It also goes by the names of CinaRAT and Yggdrasil.
It is a C#-based remote access administration tool capable of harvesting system information, files, list of running programs, screenshots, keystrokes, and executing arbitrary shell commands. DLL side-loading is a commonly used technique utilized by many threat actors in order to execute their payloads by installing a spoofed DLL file. This file has a name that a harmless executable is looking for.
The start of the attack happens using an ISO image file containing three other files: a MsCtfMonitor.dll file renamed as monitor.ini, a legitimate binary ctfmon.exe that is renamed as eBill-997358806.exe, and a malicious MsCtfMonitor.dll file.
“When the binary file ‘eBill-997358806.exe’ is run, it initiates the loading of a file titled ‘MsCtfMonitor.dll’ (name masqueraded) via DLL side-loading technique, within which malicious code is concealed,” said the researchers.
This malicious code is hidden and has another executable “FileDownloader.exe” which is injected into the Windows Assembly Registration Tool called Regasm.exe. This way, the next stage of the infection is launched and an authentic calc.exe file loads the rogue Secure32.dll again, resulting in launching the final Quasar RAT payload.
The trojan is then able to establish a connection with a remote C2 server so it can send system information to the actors and also sets up a reverse proxy for remote access to the compromised system.
The exact initial access attack vector and the identity of the threat actor are currently unknown. Researchers believe it is most likely through phishing emails, which makes it clear that users should be cautious about emails from unknown senders and clicking on suspicious links and attachments.
Impact
- Unauthorized Access
- Sensitive Information Theft
Indicators of Compromise
MD5
- b0db6ada5b81e42aadb82032cbc5fd60
- 532af2db4c10352b2199724d528f535f
SHA-256
- 4958c30b3bf3288ff5ed3e8356a069b9c5ea72cca6076af60dfb9c34f8f07352
- 0479ca2ab203a75a4c9664063e6b4997feca51c132582f1baf21c88f5784a061
SHA-1
- 37c498392689608c709fc4532fea6fdfa6d35b3e
- f235afdde92069aa7f05a61b85220dc6bfa0a29d
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets
- Patch and upgrade any platforms and software timely and make it into a standard security policy.
- Enforced Access Management Policies.
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.