Based on multiple client builds, each with different configurations, the client size is consistently 349KB. Quasar client instances are built by the server component. The Quasar user can also set metadata to be embedded in the executable, such as the author, organization, copyright, year, and version. exeĪ checkbox that, if checked, will add the Quasar client as an AutoRun via Registry Key or Scheduled Task Makes a customizable subdirectory within the base installation path Starred items (*) require administrator privileges This field is limited to the options listed. The location where the client file will be installed on a host.
#Quasar rat install
Sets the default for whether or not the client will install on a host Sets how often the client will attempt to callback if they are not connected
#Quasar rat password
Sets the password for Advanced Encryption Standard (AES) encryption Sets the Transmission Control Protocol (TCP) port callback to “on” Sets the domain for the client connection Sets the server IP for the client connection Sets the file mutual exclusion object (mutex) to prevent the same host being infected multiple times This value is displayed in the connection table (see figure 1) of the Quasar server GUI once the client connects Represents the name for the client instance. Table 1: Quasar client builder feature options and attributes Option The client builder feature allows the Quasar user to select from different options and attributes (see table 1). The server component builds client executables that the Quasar user can run on target hosts. The Quasar user initiates client interactions by right-clicking an individual client row, which opens a pop-up menu with available commands.įigure 1: Quasar screenshot – example of a Quasar server with a connected client Each client’s entry is listed individually and includes the client’s Internet Protocol (IP) address, username, Quasar client version, connection status, user status, country, OS, and account type. Quasar users interact with the server and, in turn, its clients, through the GUI. Configuring and building client executables.įigure 1 shows the Quasar server component GUI.Managing connected clients (e.g., retrieving files, showing the screen, killing processes) and.Listening for and handling client connections (e.g., catching new connections, terminating connections).The Quasar server component is responsible for The Quasar client and server will run on the following OSs (32- and 64-bit): NET Framework 4.0 (or higher) Client Profile. Threat actors must leverage other tools or methods to gain access to a target host before they can use Quasar.
#Quasar rat software
Note: Quasar does not contain software vulnerability exploits.
Users then interact with connected clients through the server’s graphical user interface (GUI). The server is responsible for creating client binaries and managing client connections. Quasar uses a client-server architecture that enables one user to remotely access many clients. Therefore, NCCIC cannot definitively say whether the detection and mitigation recommendations provided in this report will work effectively against APT actor-modified versions of Quasar. , NCCIC has not determined the exact difference between these versions and v1.3.0.0. Open-source reports state that some APT actors have adapted Quasar and created modified minor (1.3.4.0) and major (2.0.0.0 and 2.0.0.1) versions.
#Quasar rat code
This report does not reflect any changes Quasar’s author has made to the tool’s source code since the release of v1.3.0.0.
For this report, the National Cybersecurity and Communications Integration Center (NCCIC), part of CISA, analyzed Quasar version 1.3.0.0, which was released on September 28, 2016, and is the latest stable version available on GitHub. Quasar was first released in July 2014 as “xRAT 2.0.” In August 2015, xRAT was renamed “Quasar” and released as v1.0.0.0. While the tool can be used for legitimate purposes (e.g., an organization’s helpdesk technician remotely accessing an employee’s laptop), the Cybersecurity and Infrastructure Security Agency (CISA), is aware of APT actors using Quasar for cybercrime and cyber espionage campaigns. Quasar is authored by GitHub user MaxXor and publicly hosted as a GitHub repository.
#Quasar rat windows
Quasar is a publically available, open-source RAT for Microsoft Windows operating systems (OSs) written in the C# programming language.
0 kommentar(er)
