On October 23, 2023, new insights emerged regarding the cyberthreat tactics of the open-source remote access trojan (RAT) known as Quasar RAT. Notably, it employs DLL side-loading, a method allowing it to discreetly infiltrate and extract data from vulnerable Windows systems.
Quasar RAT, also identified as CinaRAT or Yggdrasil, is a remote administration tool coded in C#. It’s designed to collect a variety of system data, including running applications, files, keystrokes, and screenshots, as well as to carry out unrestricted shell commands.
DLL side-loading, a tactic favored by numerous cybercriminals, involves the deceptive insertion of a counterfeit DLL file named identically to one sought by a legitimate executable. MITRE emphasizes that attackers often prefer side-loading to camouflage their activities, operating under the guise of a genuine, trusted, or possibly high-privileged system or software procedure.
According to Uptycs, the assault commences with an ISO image file comprising three distinct files: a genuine binary (ctfmon.exe) renamed to eBill-997358806.exe, a MsCtfMonitor.dll file rebranded as monitor.ini, and a pernicious MsCtfMonitor.dll.
Execution of ‘eBill-997358806.exe’ triggers the side-loading of a deceptively named ‘MsCtfMonitor.dll,’ which hides the malicious code. Inside, another executable, “FileDownloader.exe,” lurks, subsequently injected into Regasm.exe (Windows Assembly Registration Tool). This sets the stage for a legitimate calc.exe to load a fraudulent Secure32.dll, again via side-loading, initiating the final Quasar RAT payload.
Once active, the trojan connects to an external server, transmitting system details and establishing a reverse proxy to remotely access the victim’s system.
While the exact identity of the perpetrator and the initial access vector remain uncertain, the prevalent theory suggests distribution through phishing emails. This underlines the necessity for users to exercise caution with suspicious emails, links, or file attachments.