Malware

Experts uncovered an advanced phishing campaign delivering the Quasar RAT

Researchers at Cofense uncovered an advanced phishing campaign delivering Quasar RAT via fake resumes.

Experts at security firm Cofense observed an advanced phishing campaign delivering Quasar RAT via fake resumes.

The use of multiple anti-analysis methods to camouflage the attack vectors is the main characteristic of this campaign. Quasar RAT is available as an open-source tool on several public repositories, attackers use to avoid detection leveraging methods such as password protection and encoded macros. 

Quasar RAThas been used in the past by many hacking groups including APT33, APT10, Dropping Elephant, Stone Panda, and The Gorgon Group.

The fake resumes distributed in this phishing campaign detected are password-protected Microsoft Word documents. The samples analyzed by the experts used ‘123’ as password that was included in the phishing message. Once the document is opened, it will ask for macros to be enabled to start the infection process.

Experts observed that attackers are using a trick to evade the detection, the macro was developed to crash analysis tools.

“If an analyst or automated system were then to attempt to analyze the macros using an analysis tool (such as the popular tool ‘olevba’ by Philippe Lagadec), the script would fail and potentially crash from using too much memory when it attempted to analyze the macro.” reads the analysis. “This is likely an intentional effect by the threat actor in the form of more than 1200 lines of garbage code that appears to be base64 encoded. Forcing the script to attempt to decode the garbage strings causes, in all likelihood, a crash due to the magnitude of decoding required.”

Researchers discovered that parts of the payload URL, along with additional information, are hidden as meta-data for embedded images and objects.

If the macro is successfully executed, it will display a series of images claiming to be loading content while it is repeatedly adding a garbage string to the document contents. This process will cause the system to display an error message while downloading and running a malicious executable in the background.

The last trick adopted by attackers to avoid detection is to download a Microsoft Self Extracting executable, then the Quasar RAT is dropped on the now compromised system.

“This executable then unpacks a Quasar RAT binary that is 401MB. The technical maximum file upload size for the popular malware information sharing website, VirusTotal, is 550 MB. However, the commonly used public methods of submission, email and API, are set to 32MB maximum with special circumstances for API submission going up to 200MB.” continues the analysis.”By using an artificially large file size the threat actors make sharing information difficult while also causing problems for automated platforms that attempt to statically analyze the content. “

The report published by Cofense includes Indicators of compromise (IoCs) and MD5 hashes of malware artifacts.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – phishing campaign, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

6 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

13 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.