Rewterz Threat Alert – MenuPass QuasarRAT Backdoor – APT10 – Aiming for Unauthorized System Access

Severity

Medium

Analysis summary

A campaign targeting companies from several verticals across the EMEA region. The campaign seemed to be related to the MenuPass (a.k.a. APT10/Stone Panda/Red Apollo) threat actor, and utilized an open-source backdoor named QuasarRAT to achieve persistence within an organization. We identified several distinct loader variants tailored to specific targets by leveraging machine learning (ML) to analyse our malware corpus.

QuasarRAT is a lightweight remote administration tool written in C#. It can collect system information, download and execute applications, upload files, log keystrokes, grab screenshots/camera captures, retrieve system passwords and run shell commands. The remote access Trojan (RAT) is loaded by a bespoke loader (a.k.a. DILLWEED). The encrypted QuasarRAT payload is stored in the Microsoft.NET directory, decrypted into memory, and instantiated using a CLR host application. In later variants an additional component is also used to install the RAT as a service (a.k.a DILLJUICE).

Impact

• Unauthorized system access
• Exposure of sensitive information

Indicators of Compromise

Malware Hash (MD5/SHA1/SH256)

• 0aa3d394712452bba79d7a524a54aa871856b4d340daae5bf833547da0f1d844
• 0eff243e1253e7b360402b75d7cb5bd2d3b608405daece432954379a56e27bff
• 1ddb533be5fa167c9a6fce5d1777690f26f015fcf4bd82efebd0c5c0b1e135f2
• 239e9bc49de3e8087dc5e8b0ce7494dabce974de220b0b04583dec5cd4af35e5
• 26866d6dcb229bf6142ddfdbf59bc8709343f18b372f3270d01849253f1caafb
• 31f0ff80534007c054dcdbaf25f2449ee7856aceac2962f4d8463f89f61bb3b0
• 41081e93880cc7eaacd24d5846ae15016eb599d745809e805deedb0b2f7d0859
• 56f727b3ced15e9952014fc449b496bfcf3714d46899b4bb289d285b08170138
• 6037b5ce5e7eda68972c7d6dfe723968bea7b40ac05b0f8c779a1f1d542b4ae4
• 721caf6de3086cbab5a3a468b21b039545022c39dc5de1d0f438c701ecc8e9df
• 7f7fc0db3ea3545f114ed41853e4dc3764addfa352c28b1f6643d3fdaf7076c5
• 9bbc5b8ad7fb4ce7044a2ced4433bf83b4ccc624a74f8bafb1c5932c76511308
• c8c707575bb87c17ec17c4517c99229a993f80a76261191b2b89d3cb88e24aea
• c8f2cc7c4fdf8a748cb45f6cfb21dd97655b49dd1e13dd8cc59a5eab69cc7017
• cc02561e5632a2c8b509761ee7a23a75e3899441f9c77d778d1a770f0f82a9b7
• cf08dec0b2d1e3badde626dbbc042bc507733e2454ae9a0a7aa256e04af0788d
• cf981bda89f5319a4a30d78e2a767c54dc8075dd2a499ddf79b25f12ec6edd64
• e24f56ed330e37b0d52d362eeb66c148d09c25721b1259900c1da5e16f70230a
• e8f00263b47b8564da9bc2029a18a0fec745377372f6f65a21aa2762fc626d4c
• f1c5a9ad5235958236b1a56a5aa26b06d0129476220c30baf0e1c57038e8cddb
• f8a7e8a52de57866c6c01e9137a283c35cd934f2f92c5ace489b0b31e62eebe7
• fe65e5c089f8a09c8a526ae5582aef6530e1139d4a995eb471349de16e76ec71

Remediation

Block all threat indicators at your respective controls