QuasarRAT, initially surfacing in 2014 under the alias xRAT, began its lifecycle as a legitimate remote administration tool for Windows environments.
Over the last decade, however, its open-source nature and accessibility have facilitated its transformation into a potent instrument for cybercriminals.
The malware is built on the .NET Framework using C#, making it highly adaptable for diverse malicious campaigns ranging from data theft to network intrusions.
Threat actors leverage QuasarRAT for a broad spectrum of intrusive activities, including unauthorized surveillance and cyber espionage operations.
Its capabilities include extracting system information, managing files, logging keystrokes, and executing arbitrary commands.
These features allow attackers to maintain persistent control over compromised systems, making it a preferred choice for both independent hackers and state-aligned groups seeking a lightweight, customizable payload to breach networks.
Sekoia security analysts identified that QuasarRAT’s popularity stems from its ease of modification and the availability of its source code on platforms like GitHub.
This accessibility enables attackers to recompile the malware with bespoke functionalities, tailoring it to specific targets.
The malware’s impact is further amplified by its ability to evade basic detection mechanisms through continuous code adaptation, ensuring it remains a persistent threat.
The core danger lies in its versatility. Whether used for financial theft or gathering intelligence, QuasarRAT integrates seamlessly into various attack chains.
.webp "QuasarRAT Core Functionalities Along with Encrypted Configuration and Obfuscation Techniques Exposed 3")
Its design supports the addition of new features, ensuring it remains a relevant threat in the landscape.
Unwrapping Encrypted Configuration and Obfuscation
Recent QuasarRAT samples implement advanced obfuscation to conceal configuration data. While standard builds might leave settings in plain text, malicious variants frequently employ heavy obfuscation.
These variants utilize AES-256 encryption in CBC mode to secure critical data like Command-and-Control (C2) servers. The decryption key is often derived using PBKDF2 with a hardcoded salt value found in the Aes256 class.
To bypass these defenses, analysts use a combination of Python and .NET libraries such as dnlib to inspect the Intermediate Language (IL) code.
.webp "QuasarRAT Core Functionalities Along with Encrypted Configuration and Obfuscation Techniques Exposed 4")
The extraction process involves locating the static constructor (.cctor) where the AES key is initialized.
By analyzing the IL instructions—specifically looking for opcodes like ldstr and stsfld—researchers can recover the cryptographic material. This allows retrieval of the AES key and salt without execution.
.webp "QuasarRAT Core Functionalities Along with Encrypted Configuration and Obfuscation Techniques Exposed 5")
For heavily obfuscated samples, the decryption routine is identified by tallying method calls within the Settings class. Once the decryption function and the salt are isolated, the configuration strings can be decrypted, revealing the attacker’s infrastructure. This effectively counters attempts to hide indicators of compromise.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
