CONTACT US
forrester wave report 2023

Close your ransomware case with Open NDR

SEE HOW

Download our free guide to find hidden attackers.

Find hidden attackers with Open NDR

SEE HOW

cloud-network

Corelight announces cloud enrichment for AWS, GCP, and Azure

READ MORE

corelight partner programe guide

Corelight's partner program

VIEW PROGRAM

glossary-icon

10 Considerations for Implementing an XDR Strategy

READ NOW

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

g2-medal-best-support-spring-2024

Network Detection and Response

SUPPORT OVERVIEW

 

Detecting Quasar Windows RAT

Welcome to Corelight Labs' latest hunt! This blog continues our tradition of analyzing trending threat groups and TTPs on Any.Run and writing detectors for them, providing the community with open-source threat intelligence, and acting as a tutorial in engineering threat detections with Zeek® Script.

This month, we develop signatures that detect Quasar, a popular Windows-based remote access tool that has been abused for malware infections in the wild since 2014. Quasar was the #9 most-seen malware family in Q1-Q2 2024 by Spamhaus, and its variants have been used in 2024 attacks against financial institutions in Latin America. We will detect Quasar using a methodology similar to that used in our blog Detecting AsyncRAT Malware Over HTTPS, developing Zeek logic to help detect communications with Quasar servers.

We’ve released an open-source Zeek script to detect these signatures at our GitHub repository. Zeek users can install this package using zkg:

    
     

zkg install zeek-quasarrat-detector

Our approach leverages Quasar’s default configuration options when using self-signed TLS certificates. By default, Quasar uses the hard-coded TLS common name (CN) “Quasar Server CA”, as seen in its open-source repository. When a client connects to this server using a TLS connection for command-and-control, the server will present its CN in cleartext, which Suricata® signatures or Zeek scripts can detect. Of course an attacker can change this default, but it’s surprising how often they fail to do so (see below).

    
     

module QuasarRAT;


export {

    ## The notice when QuasarRAT C2 is observed.

    redef enum Notice::Type += { C2_Traffic_Observed, };

}


event ssl_established(c: connection)

    {

      if ( ! c?$ssl )

           return;


      if ( c$ssl?$subject && c$ssl$subject == "CN=Quasar Server CA" )

          NOTICE([ $note=QuasarRAT::C2_Traffic_Observed,

$msg="Potential QuasarRAT C2 discovered via a default SSL

certificate.", $conn=c,

           $identifier=cat(c$id$orig_h, c$id$resp_h) ]);

}

While it is easy for an actor to reconfigure their TLS, open-source threat intelligence implies that some servers neglect this. We found that malware connects to servers with this default TLS CN in abundance on Any.Run. Internet scanning leads to similar results: according to Shodan.io, there was a rise in servers with this certificate around early 2023, and the number of public-facing servers with it remains consistently between 20 and 40.

Quasar Windows RAT
Source: Shodan.io

Conclusion

The example again shows that all is not lost when malware uses HTTPS to communicate with its C2 server. In some cases, operational mistakes from the actor can cause servers to announce themselves as risky. Be sure to head to https://github.com/corelight/zeek-quasarrat-detector to get the detection code we released with this blog!

We also recommend checking out Corelight’s C2 Collection, which covers known C2 toolkits and MITRE ATT&CK® C2 techniques and is based on Zeek metadata, for more than 50 unique insights and detections that illuminate command and control activity and help defenders find novel attacks.

Recent Posts