1. Home
  2. Software
  3. QuasarRAT

QuasarRAT

QuasarRAT is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. QuasarRAT is developed in the C# language.[1][2]

ID: S0262
Associated Software: xRAT
Type: TOOL
Platforms: Windows
Contributors: Kyaw Pyiyt Htet, @KyawPyiytHtet
Version: 2.1
Created: 17 October 2018
Last Modified: 07 May 2024

Associated Software Descriptions

Name Description
xRAT

[3][4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1555 从密码存储中获取凭证

QuasarRAT can obtain passwords from common FTP clients.[1][2]
.003 Credentials from Web Browsers

QuasarRAT can obtain passwords from common web browsers.[1][2]
Enterprise T1005 从本地系统获取数据

QuasarRAT can retrieve files from compromised client machines.[5]
Enterprise T1090 代理

QuasarRAT can communicate over a reverse proxy using SOCKS5.[1][2]
Enterprise T1112 修改注册表

QuasarRAT has a command to edit the Registry on the victim’s machine.[1][5]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

QuasarRAT uses AES with a hardcoded pre-shared key to encrypt network communication.[1][2][5]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

If the QuasarRAT client process does not have administrator privileges it will add a registry key to HKCU\Software\Microsoft\Windows\CurrentVersion\Run for persistence.[1][5]

Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

QuasarRAT can launch a remote shell to execute commands on the victim’s machine.[1][5]
Enterprise T1552 .001 未加密凭证: Credentials In Files

QuasarRAT can obtain passwords from FTP clients.[1][2]
Enterprise T1548 .002 滥用权限提升控制机制: Bypass User Account Control

QuasarRAT can generate a UAC pop-up Window to prompt the target user to run a command as the administrator.[5]
Enterprise T1614 系统位置发现

QuasarRAT can determine the country a victim host is located in.[5]
Enterprise T1082 系统信息发现

QuasarRAT can gather system information from the victim’s machine including the OS type.[1]
Enterprise T1033 系统所有者/用户发现

QuasarRAT can enumerate the username and account type.[5]
Enterprise T1016 系统网络配置发现

QuasarRAT has the ability to enumerate the Wide Area Network (WAN) IP through requests to ip-api[.]com, freegeoip[.]net, or api[.]ipify[.]org observed with user-agent string Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0.[5]
Enterprise T1125 视频捕获

QuasarRAT can perform webcam viewing.[1][2]
Enterprise T1105 输入工具传输

QuasarRAT can download files to the victim’s machine and execute them.[1][2]
Enterprise T1056 .001 输入捕获: Keylogging

QuasarRAT has a built-in keylogger.[1][2]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

QuasarRAT has a module for performing remote desktop access.[1][2]
Enterprise T1564 .001 隐藏伪装: Hidden Files and Directories

QuasarRAT has the ability to set file attributes to "hidden" to hide files from the compromised user's view in Windows File Explorer.[5]
.003 隐藏伪装: Hidden Window

QuasarRAT can hide process windows and make web requests invisible to the compromised user. Requests marked as invisible have been sent with user-agent string Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A though QuasarRAT can only be run on Windows systems.[5]
Enterprise T1095 非应用层协议

QuasarRAT can use TCP for C2 communication.[5]
Enterprise T1571 非标准端口

QuasarRAT can use port 4782 on the compromised host for TCP callbacks.[5]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

QuasarRAT contains a .NET wrapper DLL for creating and managing scheduled tasks for maintaining persistence upon reboot.[2][5]
Enterprise T1553 .002 颠覆信任控制: Code Signing

A QuasarRAT .dll file is digitally signed by a certificate from AirVPN.[2]

Groups That Use This Software

ID Name References
G0040 Patchwork

[3][2]
G0140 LazyScripter

[6]
G0078 Gorgon Group

[7]
G0094 Kimsuky

[8]
G0045 menuPass

[9][10][4]
G0135 BackdoorDiplomacy

[11]

References

  1. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  2. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  3. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  4. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
  5. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
  6. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  1. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  2. Mandiant. (2024, March 14). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved May 3, 2024.
  3. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
  4. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
  5. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021