Threat Actors Using Bat Files to Deploy Quasar RAT

Remote Access Trojans (RATs) like Quasar have been a persistent threat for years, enabling attackers to control infected systems remotely.

Recent SANS research has uncovered a new and particularly stealthy Quasar campaign, characterized by strong obfuscation and an innovative anti-sandbox technique.

The infection begins with a batch (.bat) script attached to a seemingly harmless document. When executed, this script opens a decoy Office file to lower suspicion while quietly downloading an obfuscated second-stage batch file from a remote server.

SANS researchers’ analysis revealed that this secondary file is heavily obfuscated:

• It uses numerous environment variables with random names.
• “Goto” statements make the execution path confusing.
• Large sections are broken up with random comments and junk instructions to hinder code analysis.

Bat Files to Deploy Quasar RAT

The most notable feature in this campaign is its sandbox evasion. Before delivering its core payload, the malware checks what type of hard disk is present on the system.

If it detects virtual drives commonly used by malware analysts and sandboxes (like “QEMU HARDDISK”), the script automatically kills itself, making automated analysis much more difficult.

This is the first time researchers have seen this particular technique—checking the disk’s “FriendlyName” value—to disrupt security researchers’ investigations.

After passing its evasion checks, the malware reaches its main objective:

• It silently downloads an image file (.png) that actually contains encrypted malicious code.
• A custom PowerShell command hidden in even more obfuscated code decrypts and decompresses the information in the image.
• The decrypted code is then injected directly into system memory, running without touching disk in a manner that’s hard for traditional antivirus to detect.

To maintain access, the malware sets up a scheduled task for persistence, ensuring that it runs at regular intervals.

Communications with its remote server are managed via an address that uses port forwarding, increasing its ability to stay hidden from network defenses.

Defensive Recommendations

1. Monitor for suspicious use of PowerShell and batch files, especially those that chain together in unusual ways.
2. Inspect disk metadata checks—legitimate software seldom checks physical disk names, making this a possible red flag for detection tools.
3. Blocklist known C2 infrastructure and file-hosting services referenced in the campaign.
4. Adopt behavioral detection: Look for process injection, use of encrypted payloads in images, and persistence via scheduled tasks.

This resurgence of Quasar RAT demonstrates how attackers are refining old tools with modern evasion and obfuscation strategies, highlighting the need for both vigilant monitoring and advanced behavioral threat detection.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates