Detecting Quasar Windows RAT

Welcome to Corelight Labs' latest hunt! This blog continues our tradition of analyzing trending threat groups and TTPs on Any.Run and writing detectors for them, providing the community with open-source threat intelligence, and acting as a tutorial in engineering threat detections with Zeek^® Script.

This month, we develop signatures that detect Quasar, a popular Windows-based remote access tool that has been abused for malware infections in the wild since 2014. Quasar was the #9 most-seen malware family in Q1-Q2 2024 by Spamhaus, and its variants have been used in 2024 attacks against financial institutions in Latin America. We will detect Quasar using a methodology similar to that used in our blog Detecting AsyncRAT Malware Over HTTPS, developing Zeek logic to help detect communications with Quasar servers.

We’ve released an open-source Zeek script to detect these signatures at our GitHub repository. Zeek users can install this package using zkg:

    
     

zkg install zeek-quasarrat-detector
    
  

Our approach leverages Quasar’s default configuration options when using self-signed TLS certificates. By default, Quasar uses the hard-coded TLS common name (CN) “Quasar Server CA”, as seen in its open-source repository. When a client connects to this server using a TLS connection for command-and-control, the server will present its CN in cleartext, which Suricata^® signatures or Zeek scripts can detect. Of course an attacker can change this default, but it’s surprising how often they fail to do so (see below).

    
     
module QuasarRAT;


export {
    ## The notice when QuasarRAT C2 is observed.
    redef enum Notice::Type += { C2_Traffic_Observed, };
}


event ssl_established(c: connection)
    {
      if ( ! c?$ssl )
           return;


      if ( c$ssl?$subject && c$ssl$subject == "CN=Quasar Server CA" )
          NOTICE([ $note=QuasarRAT::C2_Traffic_Observed,
$msg="Potential QuasarRAT C2 discovered via a default SSL
certificate.", $conn=c,
           $identifier=cat(c$id$orig_h, c$id$resp_h) ]);
}
    
  

While it is easy for an actor to reconfigure their TLS, open-source threat intelligence implies that some servers neglect this. We found that malware connects to servers with this default TLS CN in abundance on Any.Run. Internet scanning leads to similar results: according to Shodan.io, there was a rise in servers with this certificate around early 2023, and the number of public-facing servers with it remains consistently between 20 and 40.

Conclusion

The example again shows that all is not lost when malware uses HTTPS to communicate with its C2 server. In some cases, operational mistakes from the actor can cause servers to announce themselves as risky. Be sure to head to https://github.com/corelight/zeek-quasarrat-detector to get the detection code we released with this blog!

We also recommend checking out Corelight’s C2 Collection, which covers known C2 toolkits and MITRE ATT&CK® C2 techniques and is based on Zeek metadata, for more than 50 unique insights and detections that illuminate command and control activity and help defenders find novel attacks.