A new phishing campaign uses fake resume attachments designed to deliver Quasar Remote Administration Tool (RAT) malicious payloads onto the Windows computers of unsuspecting targets.
Phishing is used by crooks to trick potential victims using social engineering techniques into handing over sensitive information via fraudulent websites they control or to deliver malicious content via e-mails appearing to be sent by someone they know or by a legitimate organization.
While using fake resumes and various other types of documents is a very common trick abused by cybercriminals operating malspam campaigns, the one targeting Windows users with the Quasar Remote Administration Tool (RAT) spotted by Cofense researchers also adds multiple anti-analysis methods to camouflage the infection vectors.
Quasar RAT is a well-known open-source RAT developed using the C# programming language and known to have been used by a wide range of hacking groups including APT33, APT10, Dropping Elephant, Stone Panda, and The Gorgon Group.
Quasar’s capabilities include but are not limited to opening remote desktop connections, logging the victims’ key strokes and stealing their passwords, capturing screen snapshots and recording webcams, downloading and exfiltrating files, and managing processes on infected machines.
Delivery and infection process
The malspam campaign detected by Cofense distributes the Quasar RAT payload with the help of a password protected fake resume Microsoft Word document and it also “employs counter-detection measures to reach the end user.”
After the potential victims enter the ‘123’ password also included in the phishing message, the fake resume document will ask for macros to be enabled so it can start the infection process as most similar attacks do.
However, in this case, the macros also come with a small twist in the form of base64 encoded garbage code designed to crash analysis tools.
“If those strings are not decoded or the process decoding them has enough resources allocated, the resulting content still lacks the all-important payload URL,” found Cofense. “Instead, partial strings and filler text give some semblance of legitimacy.”
The campaign’s operators concealed payload URLs and other similar information used to propagate the infection within the metadata of other embedded objects and images.
“If the macro is successfully run, it will display a series of images claiming to be loading content while repeatedly adding a garbage string to the document contents,” also found the Cofense researchers. “It will then show an error message while downloading and running a malicious executable in the background.”
The Quasar RAT is dropped on the now compromised machine by downloading a 401 MB Microsoft Self Extracting executable from an attacker-controlled server, with the large size of the archive also making it harder for both malware analysts and dedicated automated analysis platforms to statically analyze its contents.
Indicators of compromise (IoCs) including MD5 hashes of malware artifacts and network indicators such as domains used to distribute the Quasar payloads are available at the end of Cofense’s report.
RATs are spreading
In related news, treat actors have been using various RAT flavors to target several types of targets this year alone, with Adwind (also known as jRAT, AlienSpy, JSocket, and Sockrat) being used in attacks against entities from the utility industry just last week.
Also, in August, attackers used a cocktail of new backdoor and RAT malware dubbed BalkanDoor and BalkanRAT, respectively, to target multiple entities from the Balkans as found by ESET researchers.
A new kit for web-based attacks dubbed Lord EK was also spotted at the beginning of August as part of a malvertising chain using the PopCash ad network to drop an initial njRAT payload after abusing a use-after-free vulnerability in Adobe Flash.
Threat actors also used a new RAT malware dubbed LookBack by the Proofpoint Threat Insight Team researchers who spotted while being delivered in a spear-phishing campaign from late July and targeting three U.S. entities from the utility sector.
Back in June, Microsoft also issued an alert about an active spam campaign that attempted to infect Korean targets with FlawedAmmyy RAT malware payloads dropped via malicious XLS attachments.
Earlier that month, Cofense’s research team have discovered another phishing campaign distributing a new malware dubbed WSH RAT, actively targeting commercial banking customers with its information-stealing and keylogging capabilities.