quasar rat

Quasar Family Attack activity

Introduction

Quasar is an open source RAT (Remote Administration Tool) that has been exploited by many attackers due to its rich functionality and ease of use. It is also used in multiple attack campaigns by APT groups, and we have confirmed cases where an attack group called APT10 is using it for targeted attacks targeting Japanese organizations.
In addition, since the source code of Quasar is open to the public, there are many derivative RATs (hereinafter referred to as Quasar Family). Some of the Quasar Family are used in attacks against Japanese organizations, which poses a great threat like Quasar.
This time, I will introduce the details of Quasar and Quasar Family.

Overview of Quasar

Quasar is expected to be used for terminal management, support work, employee monitoring, etc., and has many functions. Figure 1 shows the functions and operating environment of Quasar introduced on GitHub.

clip_image002Figure 1: Quasar features and operating environment

When Quasar was first released, it had a different name (xRAT), but from the release in August 2015, the tool name was changed to Quasar, and the latest version as of December 2020 is 1.4 (6 2020). Monthly release).

clip_image004Figure 2: Quasar version transition

Note that versions prior to 1.3 are still being exploited in attacks, so this article will introduce the features of both versions 1.3 and 1.4.

Way of communication

In version 1.3, a proprietary protocol using AES and QuickLZ is used as the communication method. In version 1.4, traditional AES and QuickLZ encryption is no longer implemented, and the data to be sent is serialized using Protocol Buffer developed by Google. It has also been modified to use TLS1.2 to encrypt the entire communication. Figure 3 shows the communication formats used in versions 1.3 and 1.4.

clip_image006Figure 3: Quasar communication format

Communication flow

In version 1.3, when a client connects to the server, it first communicates about authentication, and after successful authentication, it begins exchanging data, including commands. In 1.4, the communication part related to authentication has been replaced with the TLS handshake, and after the TLS handshake, the exchange of data including commands will start. Figure 4 shows the communication flow between Quasar clients and servers.

clip_image008Figure 4: Quasar communication flow

Set information

Quasar holds the setting information internally. The setting information is encrypted by combining AES and BASE64 encoding, and is decrypted at runtime using the value of ENCRYPTIONKEY in the setting information.

clip_image010Figure 5: Quasar configuration information

clip_image012Figure 6: Structure of setting information

Table 1 is a list of configuration information held by Quasar.

VERSION INSTALL LOGDIRECTORY(1.3)
HOSTS STARTUP SERVERSIGNATURE(1.4)
PORT (xRAT only) MUTEX SERVERCERTIFICATESTR(1.4)
RECONNECTDELY STARTUPKEY SERVERCERTIFICATE(1.4)
KEY HIDEFILE HIDELOGDIRECTORY(1.3)
AUTHKEY ENABLEUACESCALATION (xRAT only) HIDELOGSUBDIRECTORY(1.3)
DIRECTORY ENABLELOGGER INSTALLPATH(1.4)
SUBDIRECTORY ENCRYPTIONKEY LOGSPATH(1.4)
INSTALLNAME TAG(1.3) UNATTENDEDMODE(1.4)
Table 1: List of setting information

Command

In version 1.3, the command set is defined using typeof. Figure 7 is an example of a command defined in Quasar.

clip_image014Figure 7: Defined commands

Quasar Family

Table 2 is a list of Quasar Family derived from Quasar confirmed by JPCERT / CC.

name classification Set information Communication method Abuse situation
Golden Edition clone Same Same Have
XPCTRA clone alone Same Have
CinaRAT clone Same Same Have
Xtremis 2.0 clone Same Same unconfirmed
QuasarStrike clone Same Same unconfirmed
VenomRAT clone Same Same unconfirmed
RSMaster One use alone Same unconfirmed
Void-RAT One use alone Same Have
AsyncRAT One use alone Same Have
Table 2: Quasar Family Overview

* The “clone” of the classification is the one that uses the entire Quasar source code and adds or modifies some functions. In addition, “partial use” is to create a completely different one by diverting a part of the source code.

Figure 8 is an example comparing XPCTRA and Quasar’s implemented commands.

clip_image016Figure 8: Command comparison
(left: XPCTRA, right: Quasar)

By comparison, you can see that most of the XPCTRA commands match Quasar.
Figure 9 is an example of comparing the salt values ​​of AsyncRAT and Quasar’s AES.

clip_image018Figure 9: Encryption code comparison
(top: AsyncRAT, bottom: Quasar)

You can see that the salt value used in AsyncRAT is exactly the same as Quasar.
In this way, since the Quasar Family uses the Quasar source code, the setting information and communication method used internally match the original Quasar. In addition, some have their own extensions from the original Quasar, with new additions such as configuration information and unique commands.

Attack campaign using Quasar

Quasar is used in many attack campaigns. Table 3 shows the differences in Quasar for each attack group.

Attack group Quasar version Dress up alone Obfuscation
APT33 1.3.0.0 no ConfuserEx v1.0.0
Gorgon Group no
APT-C-09 2.0.0.0 RELEASE3 no
DustySky 1.1.0.0 no
APT10 2.0.0.0(Custom Version) Have ConfuserEx v1.0.0
Table 3: Quasar examples by attack group

In most cases, the original Quasar is used and the default values ​​are used for the configuration information as well. Figure 10 is an example of Quasar configuration information used by APT33.

clip_image020Figure 10: Quasar configuration information used by APT33

In most of the settings, the default value of the builder that generates Quasar is used, and you can see that only the STARTUP KEY has been changed. As such, many attack groups do not change from the default value to avoid leaving evidence of their own attack.

For some attack groups, we may have made improvements to Quasar. APT10 has confirmed that it is using Quasar with its own implementation for attacks. In the following, we will introduce the details of the changes made by APT10.

Set information

In APT10 Quasar (hereinafter, custom Quasar), the following setting values ​​are newly added to the setting information.

· DOWNLOAD_URL

· PROXY

Figure 11 is an example comparing custom Quasar and Quasar configuration information.

clip_image022Figure 11: Comparison of configuration information
(left: custom Quasar, right: Quasar)

The URL of the Proxy server can be set in PROXY, and it has been extended so that it can communicate normally with the C2 server even if the Proxy server is used inside the target organization.
Also, in Quasar, CBC mode is used for encryption when AES encryption of setting information is performed, but in custom Quasar, it has been changed to use CFB mode.

clip_image024Figure 12: AES Code Comparison
(Left: Custom Quasar, Right: Quasar)

Addition / deletion of commands

In custom Quasar, new commands have been added / deleted. Figure 13 is an example comparing custom Quasar and Quasar commands.

clip_image026Figure 13: Command comparison
(left: custom Quasar, right: Quasar)

In the custom Quasar, you can see that DoPlugin and DoPluginResponse commands have been added, and that some commands such as keyloggers have been removed.
The newly added DoPlugin command allows you to extend functionality by loading additional plugin modules. In addition, the DoPluginResponse command can delete the plug-in module loaded by the DoPlugin command.
In custom Quasar, some functions such as have been removed, but necessary functions are dynamically extended using DoPlugin command, and Quasar itself does not have much function, so antivirus software It may be aimed at avoiding detection in.

Creating an error log

Custom Quasar adds the ability to create error logs. The file path for creating the error log is pre-hard coded in the sample.

clip_image028Figure 14: Error log creation function

Way of communication

Custom Quasar has changed the encryption method used when communicating with the C2 server. In the original Quasar, communication is encrypted using AES and QuickLZ, but in the custom Quasar, encoding processing by XOR is added. Figure 15 shows the newly added XOR encoding process.

clip_image030Figure 15: XOR encoding of communication data

Also, as with the configuration information, changes have been made to use CFB mode for AES encryption instead of CBC mode. The following is a comparison of each encryption method.

· Quasar : QuickLZ + AES(mode CBC)

· Custom Quasar: QuickLZ + AES (mode CFB ) + XOR

C2 server activity

JPCERT / CC investigated the activity status of the C2 server based on the characteristics of the Quasar Family introduced so far. As a result, as of November 2020, we have confirmed a total of 76 IP addresses running C2 servers. Figure 16 shows the distribution of C2 servers in the Quasar Family confirmed in this survey.

clip_image032Figure 16: Distribution of C2 servers

With multiple C2 servers running in different countries, we can see that the Quasar and Quasar Family are still being exploited in many offensive activities.