A recent research report conducted by Uptycs has shed light on the evolution of QuasarRAT, an open-source remote administration tool (RAT) that is well-known for its lightweight nature and the wide range of malicious functions it performs. The report, published by Uptycs security researcher Tejaswini Sandapolla, reveals that QuasarRAT, also known as CinaRAT or Yggdrasil, has been found to use a sophisticated technique called DLL side-loading, which exploits trusted Microsoft files in order to execute malicious activities.
DLL side-loading is a technique that takes advantage of the trust that Microsoft files command within the Windows environment, making it a significant threat in the ever-evolving landscape of cybersecurity. This discovery is particularly concerning as QuasarRAT has been openly available on GitHub, potentially putting Windows users, system administrators, and cybersecurity professionals at risk.
Tejaswini Sandapolla, in her report, noted that while tactics like DLL side-loading are not new, observing them evolve and being adopted by other malware strains demonstrates the adaptability of threat actors. In this case, the attackers specifically used trusted Microsoft files to carry out their attack, further emphasizing the importance of staying vigilant and implementing robust security measures.
QuasarRAT utilizes the authentic “ctfmon.exe” in its initial phase to load a malicious DLL, effectively disguising its true intentions. This sets the stage for the attacker to gain access to a ‘stage 1’ payload, which serves as a gateway for subsequent malicious activities. The stage 1 payload releases both the legitimate “calc.exe” file and the malevolent DLL into the system.
Interestingly, the attacker leverages the seemingly harmless “calc.exe” file, which is typically known as a simple calculator application, but in this context, it triggers the execution of the malicious DLL. This ultimately leads to the infiltration of the QuasarRAT payload into the computer’s memory.
To further conceal its intentions and complicate detection, the payload employs a technique called “process hollowing” within the computer’s memory. This allows the malicious code to embed itself into a legitimate system process, making it even more difficult to detect.
In order to protect against QuasarRAT and its new capabilities, Uptycs has emphasized the importance of keeping software up-to-date and practicing vigilant email habits. They also recommend implementing advanced security solutions and providing training for individuals to recognize suspicious activities. Collaboration with cybersecurity experts and sharing information within the industry are additional measures that can help organizations stay informed about evolving threats.
In conclusion, the research conducted by Uptycs has shed light on the evolving threat of QuasarRAT and its use of DLL side-loading. This discovery serves as a reminder of the importance of staying vigilant and implementing robust security measures to protect against evolving malware strains. By keeping software up-to-date, practicing safe email habits, and collaborating with cybersecurity experts, organizations can better defend against these sophisticated attacks.