1. Home
  2. Software
  3. QuasarRAT

QuasarRAT

QuasarRAT is an open-source, remote access tool that is publicly available on GitHub. QuasarRAT is developed in the C# language. [1] [2]

ID: S0262
Associated Software: xRAT
Type: TOOL
Platforms: Windows
Version: 1.2
Created: 17 October 2018
Last Modified: 22 June 2021

Associated Software Descriptions

Name Description
xRAT

[3][4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

QuasarRAT can launch a remote shell to execute commands on the victim’s machine.[1]
Enterprise T1555 Credentials from Password Stores

QuasarRAT can obtain passwords from common FTP clients.[1][2]
.003 Credentials from Web Browsers

QuasarRAT can obtain passwords from common web browsers.[1][2]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

QuasarRAT uses AES to encrypt network communication.[1][2]
Enterprise T1105 Ingress Tool Transfer

QuasarRAT can download files to the victim’s machine and execute them.[1][2]
Enterprise T1056 .001 Input Capture: Keylogging

QuasarRAT has a built-in keylogger.[1][2]
Enterprise T1112 Modify Registry

QuasarRAT has a command to edit the Registry on the victim’s machine.[1]
Enterprise T1090 Proxy

QuasarRAT can communicate over a reverse proxy using SOCKS5.[1][2]
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

QuasarRAT has a module for performing remote desktop access.[1][2]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

QuasarRAT contains a .NET wrapper DLL for creating and managing scheduled tasks for maintaining persistence upon reboot.[2]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

A QuasarRAT .dll file is digitally signed by a certificate from AirVPN.[2]
Enterprise T1082 System Information Discovery

QuasarRAT has a command to gather system information from the victim’s machine.[1]
Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

QuasarRAT can obtain passwords from FTP clients.[1][2]
Enterprise T1125 Video Capture

QuasarRAT can perform webcam viewing.[1][2]

Groups That Use This Software

ID Name References
G0078 Gorgon Group

[5]
G0040 Patchwork

[3][2]
G0045 menuPass

[6][7][4]
G0135 BackdoorDiplomacy

[8]

References

  1. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  2. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  3. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  4. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
  1. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  2. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
  3. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
  4. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021