LTS Secure Warning: Advanced Phishing Campaign Drops Quasar RAT via Fake Resumes

A new phishing campaign has been identified that makes use of multiple anti-analysis methods to drop Quasar RAT. Quasar is an open-source RAT, which targets the windows OS & is written in C# programming language.

Technical Details

The email is constructed using a common “resume” theme, with the malicious document attached. The attackers are employing counter-detection measures to delay being detected & making it difficult to analyze. The delay provides enough time to acquire more information & install more sophisticated malware before being detected or removed.

Upon opening the DOC, users are asked to enable macros, which once done starts the infection process. Macros present are in the form of base64 encoded garbage code, designed for the purpose of crashing analysis tools. If the embedded micro runs successfully, it starts displaying a series of image, which claim to load the content while adding garbage strings to the document content repetitively. It then displays an error message while downloading the malicious executable in the background.

Along with that, a Microsoft self-extracting executable is also downloaded to avoid discovery. This executable then unloads the Quasar RAT binary.

Impact

• Logs user’s keystrokes.
• Records videos & takes pictures from webcam.
• Take screenshots of desktop.
• Stealing sensitive/confidential information.
• Terminating connections and killing processes.
• Uploading & downloading files.
• Spying on the victims actions.

Recommended Actions

• Avoid Opening emails & attachments from unknown senders.
• Take an effort to educate your users on how to identify a mal-spam.
• Ensure that your devices are always up-to-date with the latest patches released.
• Always update your anti-virus software with the latest releases.
• Periodically run “full system scan” on your endpoints.