Cybercriminals distributed Quasar RAT through fake resumes

by Brendan Smith
August 27, 2019
Quasar distributed through fake resumes
Written by Brendan Smith

Cofense experts discovered a new phishing operation in which attackers infect Windows-based computers with Quasar Remote Administration Tool (RAT) using fake resumes.

While fake resumes and other types of documents are a fairly common method for delivering malware, one of the features of the new campaign is usage of several methods that complicate the analysis of infection vectors.

“Organizations find a higher degree of difficulty with the ‘.doc’ file attachment distributing Quasar RAT itself, because the document employs a multitude of measures to deter detection”, — report Cofense specialists.

Quasar is a well-known open source tool developed in C#, which has been repeatedly seen in the operations of various hacker groups, for example, APT33, APT10, Dropping Elephant, Stone Panda or The Gorgon Group.

Read also: Cybercriminals used Google Drive for targeted phishing

The program’s functionality includes the ability remotely connect to the desktop, record keystrokes and steal victims’ passwords, download and filter files, manage processes on an infected device, as well as take screenshots and record from web-cameras.

As part of a new phishing campaign, attackers, under a mask of a resume, distribute password-protected Microsoft Word documents. After entering the password “123” indicated in the phishing message, the document requests activation of the macro.

Quasar distributed through fake resumes

Original Email

A password of “123” is not particularly inventive, but to an automated system that processes attachments separately from emails it means that the document will be opened and no malicious activity will be recorded because the system has not determined either a need for a password or what the password is.

However, unlike other similar attacks in this case, the macro contains “junk” code encoded in base64, designed to disable the analytical tools installed on the computer.

“When the macro runs successfully, a series of images will appear on the screen, supposedly loading the content, but at the same time adding a “garbage” line to the contents of the document. Then an error message will be displayed, but at the same time, a malicious executable file will be downloaded and launched on the computer in the background”, — the experts explain.

Quasar infects the program through a 401 MB self-extracting executable file downloaded from a server controlled by cybercriminals. The large archive size complicates the task of malware analysis.

How to counteract an attack?

Along with automated tools, educating employees on new phishing trends is the best way of countering a campaign such as this.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

I'm Brendan Smith, a passionate journalist, researcher, and web content developer. With a keen interest in computer technology and security, I specialize in delivering high-quality content that educates and empowers readers in navigating the digital landscape.

With a focus on computer technology and security, I am committed to sharing my knowledge and insights to help individuals and organizations protect themselves in the digital age. My expertise in cybersecurity principles, data privacy, and best practices allows me to provide practical tips and advice that readers can implement to enhance their online security.

View all posts

Leave a Reply

Sending