Full Report
2024-12-12 • Elastic • Daniel Stepanic, Elastic Security Labs, Jia Yu Chan, Salim Bitam, Seth Goodwin • win.quasar_rat Open article on Malpedia
Analysis Summary
The provided context is an inventory list, not a detailed article about a specific malware or tool. However, it explicitly names **QUASAR** as having received a Golang rewrite under the name **SADBRIDGE with GOSAR**. I will proceed by summarizing the information available for **QUASAR RAT**, specifically focusing on the implication of its rewrite (GOSAR/SADBRIDGE).
Since the context doesn't provide deep technical details for the rewrite itself, the summary will heavily rely on the known characteristics of the original QUASAR RAT, highlighting the transition to Golang.
# Tool/Technique: QUASAR RAT (Golang Rewrite: SADBRIDGE/GOSAR)
## Overview
QUASAR is a well-known, open-source Remote Access Trojan (RAT) that allows threat actors to achieve remote control over compromised Windows systems. The context indicates a recent rewrite of QUASAR utilizing the Go language, potentially increasing its evasion capabilities and cross-platform potential, referred to here by its potential new naming context: SADBRIDGE with GOSAR.
## Technical Details
- Type: Malware family (RAT)
- Platform: Primarily Windows (Original QUASAR); Go implementation may target multiple platforms.
- Capabilities: Remote code execution, file system manipulation, keylogging, and remote desktop access.
- First Seen: Original QUASAR dates back several years; the Golang rewrite (SADBRIDGE/GOSAR) is referenced in the context dated around 2024-12-12.
## MITRE ATT&CK Mapping
*Note: Mappings are based on the known capabilities of the original QUASAR RAT.*
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
## Functionality
### Core Capabilities
- Establishing command and control connections.
- Retrieving and uploading files from the compromised host.
- Executing arbitrary commands on the target system.
- Capturing screenshots.
### Advanced Features
- The transition to **Golang (GOSAR)** suggests advanced features related to compilation size, reduced reliance on specific runtime libraries (potentially aiding sandbox evasion), and potentially better cross-platform execution compared to the original C#/.NET implementation.
- Persistence mechanisms typical of RATs.
## Indicators of Compromise
*Note: Specific IoCs for the newly written SADBRIDGE/GOSAR variant are not provided in the context. These are generalized based on QUASAR behavior.*
- File Hashes: [Specific hashes for GOSAR variant unavailable]
- File Names: Varies; often disguised executables or DLLs.
- Registry Keys: [Not specified in context]
- Network Indicators: Custom TCP/UDP C2 channels or standard HTTP/HTTPS communication channels. C2 infrastructure is generally ephemeral.
- Behavioral Indicators: Unsolicited outbound connections on non-standard ports; creation of scheduled tasks or services for persistence.
## Associated Threat Actors
- QUASAR RAT has been observed in use by numerous financially motivated and espionage groups due to its open-source nature, including various APT groups and cybercrime syndicates.
## Detection Methods
- Signature-based detection: Signatures targeting known QUASAR file artifacts or C2 strings.
- Behavioral detection: Monitoring for processes attempting to inject code or self-modify memory, common in RAT operations.
- YARA rules: Rules targeting Go binaries built with specific compiler versions or embedded known QUASAR strings/structure.
## Mitigation Strategies
- Network segmentation and strict egress filtering to limited whitelisted destinations.
- Application control (whitelisting) to prevent unauthorized executables from running.
- Intrusion Detection Systems (IDS) configured to monitor for common RAT C2 patterns.
## Related Tools/Techniques
- Custom C# or VB implants utilizing similar command structures.
- Other mature RATs like Gh0st RAT or njRAT, as QUASAR is often used as a foundational piece.