Carding 4 Carders
Professional
- Messages
- 2,724
- Reaction score
- 1,588
- Points
- 113
DLL Sideloading once again demonstrates its superiority over security tools.
The open-source remote access Trojan Quasar RAT uses the DLL Sideloading technique to discreetly extract data from infected Windows-based devices.
According to Uptycs researchers, this method uses the system trust that these files use in the Windows environment. In their report, experts described in detail how the malware exploits "ctfmon.exe" and "calc.exe" during the attack.
Quasar RAT, also known as CinaRAT or Yggdrasil, is a legitimate C# - based tool for remote administration. It can collect system information, a list of running applications, files, keystrokes, screenshots, and execute arbitrary shell commands.
The DLL Sideloading technique is often used by cybercriminals, allowing them to launch their own payloads by replacing the DLL files of trusted programs with malicious ones.
As the starting point of the attack, Uptycs points to an ISO image containing three files. When you run an executable file inside the image, the library is loaded "MsCtfMonitor.dll", in which the malicious code is hidden.
Hidden code is another executable file that is embedded in "Regasm.exe", a Windows build registration tool to launch the next stage of the attack. The original file is already running here "calc.exe", that is, a system calculator, but with a malicious DLL library. In the end, it is the calculator that downloads the Quasar RAT Trojan to the victim's computer.
The Trojan, in turn, establishes a connection to a remote server in order to regularly send information about the infected system. Moreover, it even configures a reverse proxy server for quick access to the endpoint.
It is not yet clear who is behind this attack and exactly what vector was used to initiate it, but researchers suggest that the spread occurred through phishing emails. Experts also reminded about the necessary vigilance when working with questionable emails, links or attachments, because they most often lead to infection of computers with malicious software.
If you have doubts about the "cleanliness" of your computer, you should definitely scan it with any reputable antivirus solution with the latest signature databases.
The open-source remote access Trojan Quasar RAT uses the DLL Sideloading technique to discreetly extract data from infected Windows-based devices.
According to Uptycs researchers, this method uses the system trust that these files use in the Windows environment. In their report, experts described in detail how the malware exploits "ctfmon.exe" and "calc.exe" during the attack.
Quasar RAT, also known as CinaRAT or Yggdrasil, is a legitimate C# - based tool for remote administration. It can collect system information, a list of running applications, files, keystrokes, screenshots, and execute arbitrary shell commands.
The DLL Sideloading technique is often used by cybercriminals, allowing them to launch their own payloads by replacing the DLL files of trusted programs with malicious ones.
As the starting point of the attack, Uptycs points to an ISO image containing three files. When you run an executable file inside the image, the library is loaded "MsCtfMonitor.dll", in which the malicious code is hidden.
Hidden code is another executable file that is embedded in "Regasm.exe", a Windows build registration tool to launch the next stage of the attack. The original file is already running here "calc.exe", that is, a system calculator, but with a malicious DLL library. In the end, it is the calculator that downloads the Quasar RAT Trojan to the victim's computer.
The Trojan, in turn, establishes a connection to a remote server in order to regularly send information about the infected system. Moreover, it even configures a reverse proxy server for quick access to the endpoint.
It is not yet clear who is behind this attack and exactly what vector was used to initiate it, but researchers suggest that the spread occurred through phishing emails. Experts also reminded about the necessary vigilance when working with questionable emails, links or attachments, because they most often lead to infection of computers with malicious software.
If you have doubts about the "cleanliness" of your computer, you should definitely scan it with any reputable antivirus solution with the latest signature databases.
