In the second installment of the “Advent of Configuration Extraction” series, security researchers have unwrapped QuasarRAT, a widely-deployed .NET remote access trojan (RAT), revealing sophisticated techniques for extracting its encrypted configuration from both clean and obfuscated binary samples.
The analysis demonstrates a reproducible methodology using Jupyter Notebook, pythonnet, and dnSpy, providing cybersecurity professionals with practical tools to combat this persistent threat.
QuasarRAT, initially launched in 2014 under the name xRAT, represents a significant challenge in the cybersecurity landscape.
Published on GitHub as an ostensibly legitimate Windows remote administration tool, the open-source RAT has been systematically weaponized by cybercriminals and nation-state actors alike.
JPCERT’s comprehensive presentation at Botconf 2020 documented the malware’s evolution, cataloging numerous variants and their expanding capabilities across multiple attack campaigns.
Implemented in C# on the .NET Framework, QuasarRAT’s accessibility has made it a favorite among threat actors.
The malware supports an extensive array of remote administration functions, including system reconnaissance, file manipulation, remote desktop viewing, keylogging, and arbitrary command execution.
While these capabilities theoretically serve legitimate administrative purposes, researchers have observed QuasarRAT deployed in cyber espionage operations, unauthorized surveillance campaigns, and intrusions orchestrated by both independent threat actors and state-aligned groups.
Technical Architecture
The configuration extraction methodology relies on a sophisticated analysis environment combining multiple specialized tools.
At its foundation, the framework employs dnlib, an open-source .NET library designed for deep inspection and modification of .NET assemblies.
This library exposes metadata, types, methods, attributes, and Intermediate Language (IL) instructions programmatically, enabling granular malware analysis.
The analysis environment integrates pythonnet as a critical bridge, allowing Python code to invoke dnlib’s APIs seamlessly.
This combination enables researchers to decompile individual functions, traverse assembly structures including namespaces, classes and methods, and extract custom types, metadata entries, and embedded strings.
The entire configuration has been containerized with Docker, ensuring portability and reproducibility across different analysis environments.
IL, also known as Microsoft IL (MSIL) or Common IL (CIL), operates as a stack-based intermediate bytecode.
The stack machine architecture means instructions push values onto a stack while other operations pop values for processing.
Each IL instruction consists of an opcode (the operation such as ldstr, stloc, or call) and an optional operand providing additional data like strings, class references, integers, or branch targets.
For unobfuscated QuasarRAT samples compiled with DEBUG disabled, the extraction strategy targets the Config namespace within the Settings class.
This class contains critical configuration keys including version, hosts, reconnect delay, installation parameters, encryption keys, and server certificates. The configuration resides in static fields initialized by the class’s static constructor (.cctor method).
The extraction process begins by locating the target namespace and class through iterative traversal of the module’s types.
Once identified, the extractor analyzes the static constructor’s IL instructions, searching for paired operations where ldstr loads a literal string immediately followed by an instruction referencing the corresponding class field.
This pattern-matching approach successfully retrieves plaintext configuration values from clean samples.
The advanced extraction strategy leverages QuasarRAT’s runtime decryption mechanisms. Source code analysis reveals the malware uses AES-256 in CBC mode, with key derivation performed via PBKDF2.
The Aes256 cryptography module utilizes the default system implementation of AES, with the encryption key stored as a class member and initialized in the static constructor.
Critical to this approach is identifying the Aes256 class by scanning for instantiations of System.Security.Cryptography.AesCryptoServiceProvider.
In .NET IL, static fields are initialised by the class’s static constructor, known as .cctor (standing as Class ConsTOR).
The salt value, stored as a private static byte array, is recovered by resolving the metadata token loaded via ldtoken instruction in the static constructor.
Cross-reference analysis then pinpoints the Settings Initialize method as the sole caller of the decryption routine.
Implications and Future Applications
This systematic approach to configuration extraction demonstrates the viability of automated analysis for .NET-based malware.
While specifically tailored to QuasarRAT, the modular workflow emphasizing namespace traversal, cross-reference resolution, and opcode comparison adapts readily to other .NET threats employing similar initialization patterns and cryptography APIs.
The complete QuasarRAT extractor code has been published in the Sekoia.io Community Git repository, providing the cybersecurity community with practical tools for threat intelligence and incident response.
By combining reproducible lab environments with thorough understanding of .NET Intermediate Language, security professionals can systematically locate critical classes, recover cryptographic parameters, and assemble fully automated extractors capable of harvesting command-and-control settings.
Although this methodology does not universally cover packed samples or QuasarRAT variants substituting alternative ciphers, it delivers accurate results for the majority of real-world deployment scenarios.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.