Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-text-to-speech domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-bookmark-follow domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the soledad domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-paywall domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-frontend-submission domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114
Quasar RAT Leverages DLL Side-Loading to fly under the Radar – HacksByte

Quasar RAT Leverages DLL Side-Loading to fly under the Radar

The open-source remote access Trojan known as Quasar RAT has been observed taking advantage of DLL side-loading to fly under the radar and silently siphon data from compromised Windows hosts.

“This technique takes advantage of the inherent trust of these files within the Windows environment,” Uptycs researchers Tejaswini Sandapolla and Karthikkumar Kathiresan said in a report published last week. Detailing the malware’s reliance on ctfmon.exe and calc.exe as part of its attack chain.

Also known as CinaRAT or Yggdrasil, Quasar RAT is a C#-based remote administration tool capable of obtaining system information, a list of running applications, files, keystrokes, screenshots, and executing arbitrary shell commands.

DLL side-loading is a popular technique adopted by many threat actors to execute their own payload by planting a fake DLL file with a name that is recognizable to an individual looking for a benign executable.

“Adversaries use side-loading as a means to conceal actions taken under a potentially legitimate, trusted, and potentially advanced system or software process,” MITRE writes in its explanation of the attack methodology.

The starting point of the attack documented by Uptycs is an ISO image file containing three files: a legitimate binary named ctfmon.exe named eBill-997358806.exe, a MsCtfMonitor.dll file named monitor.ini, And a malicious MsCtfMonitor.dll.

The researchers said, “When the binary file ‘eBill-997358806.exe’ is run, it initiates the loading of a file named ‘MsCtfMonitor.dll’ (name hidden) through DLL side-loading technology, within which The malicious code is hidden.”

The hidden code is another executable “FileDownloader.exe” that’s injected into Regasm.exe, the Windows Assembly Registration Tool, in order to launch the next stage, an authentic calc.exe file that loads the rogue Secure32.dll again through DLL side- loading and launching the final Quasar RAT payload.

The trojan, for its part, establishes connections with a remote server to send system information and even sets up a reverse proxy for remote access to the endpoint.

The identity of the threat actor and the exact initial access vector used to pull off the attack is unclear, but it’s likely to be disseminated by means of phishing emails, making it imperative that users be on the guard for dubious emails, links, or attachments.

Related posts

Warning: New secret “RustDoor” backdoor is targeting Apple macOS devices

Security expert turns out to be a scammer, used Apple’s bug to rob the company of $2.5 million

Kimsuky’s New Golang Stealer ‘Troll’ and ‘GoBear’ Backdoor Targets South Korea

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More