Researchers from Uptycs noted that Quasar RAT, also known as CinaRAT or Yggdrasil, capitalizes on the inherent trust Windows places in certain files, such as ctfmon.exe and calc.exe, to execute its malicious activities. This C#-based remote administration tool is versatile, capable of collecting system data, logging keystrokes, taking screenshots, and running arbitrary shell commands.
DLL side-loading is a tactic often employed by threat actors to disguise their actions under legitimate and trusted system or software processes. In the case documented by Uptycs, the attack begins with an ISO image file containing three files: a legitimate binary (ctfmon.exe) renamed to eBill-997358806.exe, a MsCtfMonitor.dll file renamed to monitor.ini, and a malicious MsCtfMonitor.dll.
When the renamed binary (eBill-997358806.exe) is executed, it employs the DLL side-loading technique to conceal malicious code within the masqueraded ‘MsCtfMonitor.dll’ file, launching the next stage – an executable known as “FileDownloader.exe” injected into Regasm.exe. This leads to the execution of a genuine calc.exe file via DLL side-loading, ultimately launching the final Quasar RAT payload.
The trojan creates connections with a remote server to send system information and even establishes a reverse proxy for remote access to the infected endpoint. The exact identity of the threat actor and the initial access method remain unclear, but it is suspected that phishing emails may play a role in the distribution of this malware. Therefore, users are urged to exercise caution when dealing with suspicious emails, links, or attachments.