Through the research work carried out by Uptycs it was possible to identify a malware campaign that sees it as the protagonist Quasar RAT.
This particular malicious agent, it seems, works by exploiting the side-loading delle DLL to avoid being detected by IT security tools, managing to compromise systems Windows.
Second Tejaswini Sandapollae Karthickkumar Kathiresan at Uptycs”This technique takes advantage of the inherent trust that these files elicit in the Windows environment“. The malware in question, also known by the names CinaRAT o Yggdrasilis a remote management tool based on C# capable of interacting with compromised systems in several ways such as:
- stealing system information;
- recording the keystrokes typed by the victim;
- sending the attacker thelist of applications running;
- getting screenshots of what happens on the desktop of the device;
- executing various shell commands.
How does Quasar RAT work and why does it worry experts?
The technique known as DLL side-loading is very popular in the computer environment cybercrimine.
With Quasar RAT, as well as with other malware, this expects to execute payload through DLL files whose name does not alert the operating system victim of the attack in any way.
Second Mitre “Attackers likely use side-loading as a means to disguise the actions they perform within a legitimate, trusted, and potentially highly accessed software system or process“.
The starting point of the attack documented by Uptycs is a ISO image file which contains three files: a legitimate binary, named ctfmon.exe renamed eBill-997358806.exea file MsCtfMonitor.dll renamed monitor.ini and a malicious file MsCtfMonitor.dll.
The researchers explained how “When the binary file ‘eBill-997358806.exe’ is executed, it starts loading a file titled ‘MsCtfMonitor.dll’ via DLL side-loading technique, inside which malicious code is hidden“.
The hidden code is another executable FileDownloader.exe which is inserted into Regasm.exeto start the next phase, a file calc.exe authentic which loads the malicious agent again (Secure32.dll) through the aforementioned technique, with a procedure that then leads to the actual loading of the Trojan.
The identity of the campaign author and the exact initial access vector are unclear, but Quasar RAT is likely to be spread via e-mail di phishing.