Quasar RAT: common malware used by several state-sponsored cyber threat actors
The Cyber espionage threat group TA410 known for targeting (US-based organizations in the utility sector, and diplomatic organizations in the Middle East and Africa) is actually an Umbrella group that consists of three different threat actors using different toolsets. TA410 group is loosely linked to APT10 (aka Stone Panda or TA429) that mainly uses spear-phishing and exploiting vulnerable internet-facing apps such as Microsoft Exchange, SQL Server, and SharePoint for gaining initial access.
The threat actor TA410 was first observed by Proofpoint in August 2019 when the espionage group deployed phishing campaigns that consists of a modular malware called LookBack. This malware campaign contained macro-laden documents to cooperate with utility providers across the US.
ESET researchers have identified that TA410 is actually a mixture of three subgroups of threat actors named FlowingFrog, LookingFrog, and JolloyFrog. All the three groups have different toolsets and targets but, using very similar tactics, technique,s and procedures (TTPs). These groups are alleged to be distributing intelligence requirements and access actors that run their spear-phishing hacking campaigns, along with a group that deploys network infrastructure.
According to the researchers, the subgroup FollowingFrog has its own explicit mode of cyber attacks and has deployed phishing campaigns against specific targets- namely universities, the foreign diplomatic mission in China, and a mining company in India. This group also uses Royal Road, a malevolent document builder that builds RTF documents and vulnerabilities.
The second subgroup LookingFrog usually targets discreet missions, charity organizations, and government entities using two malware families: X4 and LookBack. X4 is a custom backdoor that is used as a first stage before LookBack is deployed. LookBack is a RAT that consists of numerous components, with a C2 proxy tool, a malware loader, and a communications module to generate the C2 channels.
The final actor of the TA410 parent espionage group is JollyFrog which targets entities in education, religion, and the military. This final group utterly uses generic, off-the-shelf malware from known families named QuasarRAT and Korplug also known as PlugX.
Quasar RAT remote access Trojan was developed by GitHub user MaxXor to be used for legitimate purposes. This RAT was first released in July 2014 as “xRAT 2.0” and was later renamed “Quasar” in August 2015. This Remote access Trojan is distributed via malicious attachments in Phishing emails also it’s written in the C# programming language. Quasar RAT’s capabilities include capturing screenshots, recording webcam, reversing proxy, editing registry, spying on the user’s actions, keylogging and stealing passwords.
QuasarRAT has been used previously by many cyber espionage groups, including APT33, APT10, Dropping Elephant, Stone Panda, and The Gorgon Group.
In 2017, DustSky Campaign targeted government institutions in the Middle East by using Quasar RAT. In January 2018, hackers targeted the Ukrainian ministry of defense with the Quasar RAT malware.
In April 2017, experts from PwC, UK, and BAE systems identified a wide-ranging hacking campaign, detected as Operation Cloud Hopper, targeting Managed Service Providers (MSPs) in diverse regions globally. According to the proof assemble by professionals represent the APT10 group’s participation.
In November 2020, analysts revealed a large-scale campaign operated by china based APT10 targeting several conglomerates using ZeroLogon vulnerability. The hacker exploited a vulnerability in the security firm’s web management in Taiwan and placed a web crust to deploy the Quasar Rat on the Target System.
In 2016, APT Dropping Elephant led by Phronesis (founded by Brigadier Prabhakar Bryan Miranda) was highlighted for targeting diverse high-profile actors using attack tools. The victims are all concerned with China’s foreign associations. In December 2017, TrendMicro revealed that the espionage group Dropping Elephant or Patchwork deployed phishing attacks by using Quasar RAT as payload in some of their targeted attacks delivered through Drive.
In the end we can say that Phronesis is one of the emerged cyber offensive threat actor of India. As it deployed massive cyber attacks through its giants state-sponsored advanced persistent threat actors like Dropping Elephant, Patchwork, Confuscious.
