Quasar RAT Leverages DLL Side-Loading to Fly Under the Radar

The open-source remote access trojan known as Quasar RAT has been observed leveraging DLL side-loading to fly under the radar and stealthily siphon data from compromised Windows hosts.

“This technique capitalizes on the inherent trust these files command within the Windows environment,” Uptycs researchers Tejaswini Sandapolla and Karthickkumar Kathiresan said in a report published last week, detailing the malware’s reliance on ctfmon.exe and calc.exe as part of the attack chain.

Also known by the names CinaRAT or Yggdrasil, Quasar RAT is a C#-based remote administration tool capable of gathering system information, a list of running applications, files, keystrokes, screenshots, and executing arbitrary shell commands.

DLL side-loading is a popular technique adopted by many threat actors to execute their own payloads by planting a spoofed DLL file with a name that a benign executable is known to be looking for.

“Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process,” MITRE notes in its explanation of the attack method.

The starting point of the attack documented by Uptycs is an ISO image file that contains three files: A legitimate binary named ctfmon.exe that’s renamed as eBill-997358806.exe, a MsCtfMonitor.dll file that’s renamed as monitor.ini, and a malicious MsCtfMonitor.dll.

“When the binary file ‘eBill-997358806.exe’ is run, it initiates the loading of a file titled ‘MsCtfMonitor.dll’ (name masqueraded) via DLL side-loading technique, within which malicious code is concealed,” the researchers said.

The hidden code is another executable “FileDownloader.exe” that’s injected into Regasm.exe, the Windows Assembly Registration Tool, in order to launch the next stage, an authentic calc.exe file that loads the rogue Secure32.dll again through DLL side-loading and launch the final Quasar RAT payload.

The trojan, for its part, establishes connections with a remote server to send system information and even sets up a reverse proxy for remote access to the endpoint.

The identity of the threat actor and the exact initial access vector used to pull off the attack is unclear, but it’s likely to be disseminated by means of phishing emails, making it imperative that users be on the guard for dubious emails, links, or attachments.