Quasar is an open source RAT (Remote Administration Tool) that has been exploited by many attackers due to its rich functionality and ease of use. It is also used in multiple attack campaigns by APT groups, and we have confirmed cases where an attack group called APT10 is using it for targeted attacks targeting Japanese organizations.
In addition, since the source code of Quasar is open to the public, there are many derivative RATs (hereinafter referred to as Quasar Family). Some of the Quasar Family are used in attacks against Japanese organizations, which poses a great threat like Quasar.
This time, I will introduce the details of Quasar and Quasar Family.
Overview of Quasar
Quasar is expected to be used for terminal management, support work, employee monitoring, etc., and has many functions. Figure 1 shows the functions and operating environment of Quasar introduced on GitHub.
When Quasar was first released, it had a different tool name (xRAT), but from the release in August 2015, the tool name was changed to Quasar, and the latest version as of December 2020 is 1.4 (6 2020). Monthly release).
Note that versions prior to 1.3 are still being exploited in attacks, so this article will introduce the features of both versions 1.3 and 1.4.
Way of communication
In version 1.3, a proprietary protocol using AES and QuickLZ is used as the communication method. In version 1.4, traditional AES and QuickLZ encryption is no longer implemented, and the data to be sent is serialized using Protocol Buffer developed by Google. It has also been modified to use TLS1.2 to encrypt the entire communication. Figure 3 shows the communication formats used in versions 1.3 and 1.4.
In version 1.3, when a client connects to the server, it first communicates about authentication, and after successful authentication, it begins exchanging data, including commands. In 1.4, the communication part related to authentication has been replaced with the TLS handshake, and after the TLS handshake, the exchange of data including commands will start. Figure 4 shows the communication flow between Quasar clients and servers.
Quasar holds the setting information internally. The setting information is encrypted by combining AES and BASE64 encoding, and is decrypted at runtime using the value of ENCRYPTIONKEY in the setting information.
Table 1 is a list of configuration information held by Quasar.
|PORT (xRAT only)||MUTEX||SERVERCERTIFICATESTR（1.4）|
|AUTHKEY||ENABLEUACESCALATION (xRAT only)||HIDELOGSUBDIRECTORY（1.3）|
|Table 1: List of setting information|
In version 1.3, the command set is defined using typeof. Figure 7 is an example of a command defined in Quasar.
Table 2 is a list of Quasar Family derived from Quasar confirmed by JPCERT / CC.
|name||classification||Set information||Communication method||Abuse situation|
|Table 2: Quasar Family Overview|
* The “clone” of the classification is the one that uses the entire Quasar source code and adds or modifies some functions. In addition, “partial use” is to create a completely different one by diverting a part of the source code.
Figure 8 is an example comparing XPCTRA and Quasar’s implemented commands.
By comparison, you can see that most of the XPCTRA commands match Quasar.
Figure 9 is an example of comparing the salt values of AsyncRAT and Quasar’s AES.
You can see that the salt value used in AsyncRAT is exactly the same as Quasar.
In this way, since the Quasar Family uses the Quasar source code, the setting information and communication method used internally match the original Quasar. In addition, some have their own extensions from the original Quasar, with new additions such as configuration information and unique commands.
Attack campaign using Quasar
Quasar is used in many attack campaigns. Table 3 shows the differences in Quasar for each attack group.
|Attack group||Quasar version||Dress up alone||Obfuscation|
|APT10||220.127.116.11(Custom Version)||Have||ConfuserEx v1.0.0|
|Table 3: Quasar examples by attack group|
In most cases, the original Quasar is used and the default values are used for the configuration information as well. Figure 10 is an example of Quasar configuration information used by APT33.
In most of the settings, the default value of the builder that generates Quasar is used, and you can see that only the STARTUP KEY has been changed. As such, many attack groups do not change from the default value to avoid leaving evidence of their own attack.
For some attack groups, we may have made improvements to Quasar. APT10 has confirmed that it is using Quasar with its own implementation for attacks. In the following, we will introduce the details of the changes made by APT10.
In APT10 Quasar (hereinafter, custom Quasar), the following setting values are newly added to the setting information.
Figure 11 is an example comparing custom Quasar and Quasar configuration information.
The URL of the Proxy server can be set in PROXY, and it has been extended so that it can communicate normally with the C2 server even if the Proxy server is used inside the target organization.
Also, in Quasar, CBC mode is used for encryption when AES encryption of setting information is performed, but in custom Quasar, it has been changed to use CFB mode.
Addition / deletion of commands
In custom Quasar, new commands have been added / deleted. Figure 13 is an example comparing custom Quasar and Quasar commands.
In the custom Quasar, you can see that DoPlugin and DoPluginResponse commands have been added, and that some commands such as keyloggers have been removed.
The newly added DoPlugin command allows you to extend functionality by loading additional plugin modules. In addition, the DoPluginResponse command can delete the plug-in module loaded by the DoPlugin command.
In custom Quasar, some functions such as keylogger have been removed, but necessary functions are dynamically extended using DoPlugin command, and Quasar itself does not have much function, so antivirus software It may be aimed at avoiding detection in.
Creating an error log
Custom Quasar adds the ability to create error logs. The file path for creating the error log is pre-hard coded in the sample.
Way of communication
Custom Quasar has changed the encryption method used when communicating with the C2 server. In the original Quasar, communication is encrypted using AES and QuickLZ, but in the custom Quasar, encoding processing by XOR is added. Figure 15 shows the newly added XOR encoding process.
Also, as with the configuration information, changes have been made to use CFB mode for AES encryption instead of CBC mode. The following is a comparison of each encryption method.
· Quasar : QuickLZ + AES(mode CBC)
· Custom Quasar: QuickLZ + AES (mode CFB ) + XOR
C2 server activity
JPCERT / CC investigated the activity status of the C2 server based on the characteristics of the Quasar Family introduced so far. As a result, as of November 2020, we have confirmed a total of 76 IP addresses running C2 servers. Figure 16 shows the distribution of C2 servers in the Quasar Family confirmed in this survey.
With multiple C2 servers running in different countries, we can see that the Quasar and Quasar Family are still being exploited in many offensive activities.