Experts uncovered an advanced phishing campaign delivering the Quasar RAT

Researchers at Cofense uncovered an advanced phishing campaign delivering Quasar RAT via fake resumes.

Experts at security firm Cofense observed an advanced phishing campaign delivering Quasar RAT via fake resumes.

The use of multiple anti-analysis methods to camouflage the attack vectors is the main characteristic of this campaign. Quasar RAT is available as an open-source tool on several public repositories, attackers use to avoid detection leveraging methods such as password protection and encoded macros. 

Quasar RAThas been used in the past by many hacking groups including APT33, APT10, Dropping Elephant, Stone Panda, and The Gorgon Group.

The fake resumes distributed in this phishing campaign detected are password-protected Microsoft Word documents. The samples analyzed by the experts used ‘123’ as password that was included in the phishing message. Once the document is opened, it will ask for macros to be enabled to start the infection process.

Experts observed that attackers are using a trick to evade the detection, the macro was developed to crash analysis tools.

“If an analyst or automated system were then to attempt to analyze the macros using an analysis tool (such as the popular tool ‘olevba’ by Philippe Lagadec), the script would fail and potentially crash from using too much memory when it attempted to analyze the macro.” reads the analysis. “This is likely an intentional effect by the threat actor in the form of more than 1200 lines of garbage code that appears to be base64 encoded. Forcing the script to attempt to decode the garbage strings causes, in all likelihood, a crash due to the magnitude of decoding required.”

Researchers discovered that parts of the payload URL, along with additional information, are hidden as meta-data for embedded images and objects.

If the macro is successfully executed, it will display a series of images claiming to be loading content while it is repeatedly adding a garbage string to the document contents. This process will cause the system to display an error message while downloading and running a malicious executable in the background.

The last trick adopted by attackers to avoid detection is to download a Microsoft Self Extracting executable, then the Quasar RAT is dropped on the now compromised system.

“This executable then unpacks a Quasar RAT binary that is 401MB. The technical maximum file upload size for the popular malware information sharing website, VirusTotal, is 550 MB. However, the commonly used public methods of submission, email and API, are set to 32MB maximum with special circumstances for API submission going up to 200MB.” continues the analysis.”By using an artificially large file size the threat actors make sharing information difficult while also causing problems for automated platforms that attempt to statically analyze the content. “

The report published by Cofense includes Indicators of compromise (IoCs) and MD5 hashes of malware artifacts.

Pierluigi Paganini

(SecurityAffairs – phishing campaign, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Share On