Cybercriminals distributed Quasar RAT through fake resumes

by Brendan Smith
August 27, 2019

Cofense experts discovered a new phishing operation in which attackers infect Windows-based computers with Quasar Remote Administration Tool (RAT) using fake resumes.

While fake resumes and other types of documents are a fairly common method for delivering malware, one of the features of the new campaign is usage of several methods that complicate the analysis of infection vectors.

“Organizations find a higher degree of difficulty with the ‘.doc’ file attachment distributing Quasar RAT itself, because the document employs a multitude of measures to deter detection”, — report Cofense specialists.

Quasar is a well-known open source tool developed in C#, which has been repeatedly seen in the operations of various hacker groups, for example, APT33, APT10, Dropping Elephant, Stone Panda or The Gorgon Group.

Read also: Cybercriminals used Google Drive for targeted phishing

The program’s functionality includes the ability remotely connect to the desktop, record keystrokes and steal victims’ passwords, download and filter files, manage processes on an infected device, as well as take screenshots and record from web-cameras.

As part of a new phishing campaign, attackers, under a mask of a resume, distribute password-protected Microsoft Word documents. After entering the password “123” indicated in the phishing message, the document requests activation of the macro.

Quasar distributed through fake resumes

Original Email

A password of “123” is not particularly inventive, but to an automated system that processes attachments separately from emails it means that the document will be opened and no malicious activity will be recorded because the system has not determined either a need for a password or what the password is.

However, unlike other similar attacks in this case, the macro contains “junk” code encoded in base64, designed to disable the analytical tools installed on the computer.

“When the macro runs successfully, a series of images will appear on the screen, supposedly loading the content, but at the same time adding a “garbage” line to the contents of the document. Then an error message will be displayed, but at the same time, a malicious executable file will be downloaded and launched on the computer in the background”, — the experts explain.

Quasar infects the program through a 401 MB self-extracting executable file downloaded from a server controlled by cybercriminals. The large archive size complicates the task of malware analysis.

How to counteract an attack?

Along with automated tools, educating employees on new phishing trends is the best way of countering a campaign such as this.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

Cybersecurity analyst with 15+ years digging into malware and threats, from early days reverse-engineering trojans to leading incident responses for mid-sized firms.

At Gridinsoft, I handle peer-reviewed breakdowns of stuff like AsyncRAT ransomware—last year, my guides helped flag 200+ variants in real scans, cutting cleanup time by 40% for users. Outside, I write hands-on tutorials on howtofix.guide, like step-by-step takedowns of pop-up adware using Wireshark and custom scripts (one post on VT alternatives got 5k reads in a month).

Certified CISSP and CEH, I’ve run webinars for 300+ pros on AI-boosted stealers—always pushing for simple fixes that stick, because nobody has time for 50-page manuals. Tools of the trade: Splunk for hunting, Ansible for automation, and a healthy dose of coffee to outlast the night shifts.

View all posts

Leave a Reply

Sending