Quasar RAT, an open-source remote access trojan, has innovatively utilized DLL side-loading to discreetly extract data from compromised Windows systems, staying unnoticed.
Researchers from Uptycs, Tejaswini Sandapolla and Karthickkumar Kathiresan, recently highlighted how this malware intricately relies on files like ctfmon.exe and calc.exe, explaining, “This method takes advantage of the implicit trust Windows places in these files.”
Also recognized as CinaRAT or Yggdrasil, Quasar RAT, built on C#, boasts capabilities like capturing system details, tracking active applications, obtaining files, recording keystrokes, taking screenshots, and running versatile shell commands.
DLL side-loading is an oft-used strategy by cyber adversaries, where they activate their payloads using a counterfeit DLL file, mimicking a name that a trusted software might seek. As MITRE elucidates, this is likely a subterfuge to camouflage malicious activities under a credible system process.
Uptycs’ investigation spotlights an ISO image file harboring three distinct files, which, when activated, kickstarts the malicious process. It initiates with the DLL side-loading technique, hiding the malevolent code within.
This concealed code then triggers another executable that is injected into the Windows Assembly Registration Tool. The ultimate step involves loading a genuine calc.exe file that subsequently loads the rogue Secure32.dll, finally unveiling the Quasar RAT payload.
This trojan then interfaces with an external server, transmitting system information and even setting up a backdoor for unhindered remote access.
While the mastermind behind this cyber onslaught remains unidentified, the primary attack vector is speculated to be phishing emails. It’s a stark reminder for users to remain vigilant against suspicious emails, hyperlinks, or attachments.